alixaxel / arrestdb Goto Github PK

Add functionality to protect against Cross Site Request Forgery attacks.

http://code.tutsplus.com/tutorials/protect-a-codeigniter-application-against-csrf--net-19644

Hello @alixaxel I guess you take my doubt of please.

i've tested from the oldest to the newest files with you code. And congratulation. It was just what I need! I can connect with mysql perfectly! But when I will connect with postgresql database it returns null :( I tryed to request to get some responses for example not found, bad requests and it was ok! But when I put the correct forms, i've received null! Nothing appears at the GET response.

I've tryied with the new commits from @aweiand here #1 and it changes anythings. My problem is that the json data returning as response, simply cant appears!

Please, Can you help me?!

Best Regards, Atenciosamente,
Rogério Cassares Pires

Cannot GET on multiple criteria.

trying to understand what is going on..
i guess a lot of the PDO work happens in
457 if ($result[$hash]->execute($data) === true)

could there be a HTTP parameter so we can see (debug mode) what exact query is intended to be executed?

i am trying to hack into this to make it compatible with CouchDB REST and i am not as good at coding as you are..

Hello,

Thanks for this amazing fork on ArrestMySQL !
I wanted to try it out with a SQLite3 database but I am still having a error : '503 : Service Unavailable'.

Here is my variable dsn :
$dsn = 'sqlite://./var/www/ratp.db';

I tried every possiblity like :
$dsn = 'sqlite:///var/www/ratp.db';
$dsn = 'sqlite:/var/www/ratp.db';
$dsn = 'slite:ratp.db';

Nothing seems to be working :(

I'm using Restangular together with ArrestDB, how ArrestDB interprets this angular method or does it?

// Just ONE GET to /accounts/123/buildings/456
Restangular.one('accounts', 123).one('buildings', 456).get()

In your documentation you only accept, (R)ead > GET /table[/column/content].

Thanks

Right now, it's not possible, because preg_match here:

• https://github.com/alixaxel/ArrestDB/blob/master/index.php#L491

won't allow "-" in db name.

hi.
great project.
I saw that there's a restrict access by ip. I'm working with heroku and its free dynamic ip (every update pushed to heroku restart the server and assigned with a new dynamic ip).

So, i'de like to know if there's a chance to add a restriction by url (or uri) or by a developer key that will be supplied (similar to using a known api like tweeter/youtube/facebook).

thanks.

I'm getting 409 when trying to put a new record, or update existing records. Dumping the insert query shows '?'s in the query. Are these not getting replaced later on?

This is very useful for pagination and other REST-full interfaces implement it.

I have just created: https://github.com/ctzurcanu/ArrestGrid as a complement to ArrestDB. It needs total no of recs for pagination :)
alpha demo:
http://dataverse.ro/alpha3/

Hi,

I keep getting this "400 - Bad Request" error, in spite of keeping the index.php and test.db in the same folder.

My URL format: http://xyz.net/apps/ArrestDB/std

• Where 'std' is the table in the same database "test.db"

It works fine in local WAMP server, but it is not working after hosting it in Linux/Cpanel. I appreciate your help.

• Thanks

I would like to add a $tables array with allowed tables and a possible $table_prefix in the code.

Suggested approach:

• add $tables array and $table_prefix variable after the $dsn variable
• add static function Allowed in ArrestDB class which checks if a certain table is available in the $tables array and otherwise exits with a 403 (just like for the $clients array)
• add '$table = $table_prefix.$table; ArrestDB::Allowed($table);' to each ArrestDB::Serve function implementation

Can I add it and is this the right approach?

Recently i was trying to configure your plugin with my local database which was having password as blank. Your reg-expression was not able to work without password. So i need to tweak the code to make project running.

ArrestDB is giving the error message "Service Unavailable" and I can't figure out what I might be doing wrong.

My config:
PHP 5.5 on LAMP (Ubuntu)
PDO enabled
$dsn = 'mysql://root:vertrigo@]localhost:443/viewfind/';
.htaccess just as presented in the example, in arrestDB directory
I can see the db (viewfind) and table (stories) using a mysql client with same credentials

trying a simple get:
http://localhost/php/arrestDB/stories/

I get:
{
"error": {
"code": 503,
"status": "Service Unavailable"
}
}

I would appreciate any help in troubleshooting. Thanks!

First off I absolutely love this. I haven't been able to find anything like it, says so much time making my backend api. with backbone my put request are being sent perfectly fine, though I keep getting conflict error. Other methods works fine with the backbone models, but saving a model that updates the backend, it where it goes wrong, the query string for mysql has all the data but my values, just abunch of question marks. (Do these get replaced before executing the query)

Hi,

I am trying to hook ArrestDB to postgresql 9.1. I put the correct DSN and have the rewriting set up, but when doing any requests I get error 400. What could be wrong?

Would something like this be easily implemented?
For both SQlite and MySQL databases.

GET http://api.example.com/columns/ => report an array of column names?

columns would then serve as a keyword, not the table name

Hello AlixAxel,

Thank you for this tool - it is exactly what I need and I truly appreciate the work you've put into it.

I read from your docs that Apache is optional, so I'm choosing to use iis 8 and that seems to be working. I'm getting a consistent 503 on connection attempts though. I have verified with other tools that the mysql db is accessible, and tried all obvious variations including ip addresses, servername, no port, test db, verified user/pass etc ... no luck.

Login sample is :
$dsn = 'mysql://dbusername:dbpassword@localhost/dbname/;';
$clients = array
(
);

Any suggestions as to where I'm going wrong?
Thanks Again - Paul.

I sugest to support UUID in the format 1854a179-9f10-11e4-8072-000c297121a8 as id values.

you may test at:

http://dataverse.ro/db2/index.php/table1/

eg:
PUT http://dataverse.ro/db2/index.php/table1/2
x-www-form-urlencoded id=2 description='something'

this is the latest ArrestDB from trunk

http://'+location.hostname+'/ArrestDB-master/Orders/115528/

The orderID is dynamic and so we can't hardcode it. Can we call the resource like this ? please let me know

var formServicesModule = angular.module('formServicesModule',['ngResource']);

formServicesModule.factory('getFormResourceSvc', ['$resource',
function($resource){
return {
getformData: $resource('http://'+location.hostname+'/ArrestDB-master/Orders/')
};
}
]);
getFormResourceSvc.getformData.get({kp_OrderID:$stateParams.orderID},function(response) {
console.info(response);
$scope.formData = response[0];

Olá,

Tive alguns problemas com a base postgre, para os quais fiz as seguintes alterações para que funcionasse sem problemas:

Alterações para aperfeiçoamento do postgre:

• Adicionado teste de "is_numeric($data)" na linha 72 para poder trabalhar melhor com colunas que sejam inteiras e não utilizar "LIKE" no "WHERE"
• Removidas as aspas "´" e "`" para funcionamento correto
• Suprimida a opção "PDO::ATTR_AUTOCOMMIT => true" na linha 573 para correção de bug na conexão do PDO

As alterações que efetuei:

• Adicionado teste de tipo para verificar se for inteiro e poder utilizar campos com nomes diferentes de id no get, sem prejuízos a consulta no postgresql
  if (is_numeric($data))
  $query[] = sprintf('WHERE %s = ?', $id);
  else
  $query[] = sprintf('WHERE %s LIKE ?', $id);
• Bug na Classe/Driver que não permite trocar o tipo de autocommit
  $options += array
  (
  \PDO::ATTR_AUTOCOMMIT => true,
  );

First of all: this lib is very important in that it could level the ground for pluging other databases into an app (think easy commutation to CouchDB) or exposing the DB to Mobile App more easily.

Now: I have put the index.php locally at say http://localhost/folder/db/ and changed the $dsn to what it needs.

I have tried:
http://localhost/folder/db/
response:
{
"error": {
"code": 400,
"status": "Bad Request"
}
}

http://localhost/folder/db/
response:
Error 404

Then put in the "db" directory an .htaccess from https://github.com/gilbitron/Arrest-MySQL/blob/master/.htaccess

did not solve the issue.

solutions?

@alixaxel
thank you for sharing this service.
but I always get 503 error "Service Unavailable"

my $dsn variable can't pass this preg_match()
'~^(mysql|pgsql)://(?:(.+?)(?::(.+?))?@)?([^/:@]++)(?::(\d++))?/(\w++)/?$~i'

my $dsn = 'mysql://[malo[:123456]@]localhost[:8080]/test/';

I'm sorry this sounds sooo rocky!!

I even tried the defualt dsn 'mysql://[user[:pass]@]host[:port]/db/'; written in the documents
I tried it @ http://www.phpliveregex.com/ but still can't make it work.

thank you in advance.

I would like to see if it is possible to integrate this into a PHP framework I am using. Is it possible to change the code to look at $_GET params (http://localhost/api/?tbl=person&id=11309)? If so, what would I need to change to make it work?

Hi,

Can you please help me resolve 503 Service Unavailable error when I hosted it a domain:
http://xyz.net/apps/ArrestDB//

None of these Sqlite Path didn't work in index.php:
$dsn = 'sqlite://./test.db'
$dsn = 'sqlite://./public_html/apps/ArrestDB/test.db.db'
$dsn = 'sqlite:///home/user/public_html/apps/ArrestDB/test.db.db'

Empty client:
$clients = [];

All other files in that folder has full(755,777) permissions.

We are trying hard from last two weeks to configure ArrestDB with Postgresql on Nginx server. We get following error:

{
"error": {
"code": 400,
"status": "Bad Request"
}
}

while requesting like: http://serverip/ArrestDB/index.php/users

Note: We have successfully deployed this API with Postgresql on Apache server.

Currently a successful POST is returning: {success: {code: 201, status: "Created"}}

Is it possible for the ID to be returned also, so I can use it right away?

I did this: simon-lang@58ee661

But not sure if it's a good idea, so have not submitted as a pull request. (disclaimer: totally untested on tables that do not have an id column or auto-increment id)

• LINE 44
  • sprintf('WHERE "%s" %s ?', $id, (ctype_digit($data) === true) ? '=' : 'LIKE'),

ctype_digit is checking if string = only digits
if true it get a equal otherwise a LIKE

• situation
  • tbl_name, col_name and entry = 00001-Name

so i do a request for 00001

• expected
  • SELECT * FROM tbl_name WHERE col_name LIKE '%00001%'
  • result: 1
• get
  • SELECT * FROM tbl_name WHERE col_name = '00001'
  • result: 0
• database type
  • mysql

perhaps you should change the /(#any)/(#any)/(#any) on #Line 39 to /(#any)/(#any)/(#operator)/(#any)

Hi,

Is there any solution to get multiple records for GET? May like /table/id/(3,4) or /gapp/id[3,4] ?

This is another common use case and would be great if you can implement it.

• Thanks

Hi,

Just to let you know we did that: https://github.com/Headoo/arrest-pdo

Have a nice day.

I think you shouldn't restrict the type of field you use as the unique identifier for a resource. I would replace all #num by #any.

Hello,

could it be possible to implement taking NULL or NOT NULL parameter for GET query in api ?

For example :

GET http://api.example.com/customers/country/NOT_NULL may return customers with entry "country" not null in database ;
GET http://api.example.com/customers/country/NULL may return customers with entry "country" null in database.

It's for example, the NOT NULL / NULL parameter can be passed in an other way but it is the idea.

This is a very good project, but frankly I just lost hours because you're hiding exceptions, line 577.
Print down exceptions, find a way to log them... Easier to diagnose drivers and database errors !

Hi there! Great Project!

I have a question regarding how to disable the blocking of CORS requests.
I know that I can do someting like this which helps for all GET requests:
php header("Access-Control-Allow-Origin: *");
But I think there is a better option to do so which also includes POST requests?

Thank you in advance for any advice!

You shout add the HTTP_CONTENT_TYPE.
here:
if (((array_key_exists('CONTENT_TYPE', $_SERVER) === true)||(array_key_exists('HTTP_CONTENT_TYPE', $_SERVER) === true)) && (empty($data) !== true))
{
if ((strncasecmp($_SERVER['CONTENT_TYPE'], 'application/json', 16) === 0)||(strncasecmp($_SERVER['HTTP_CONTENT_TYPE'], 'application/json', 16) === 0))

I couldn't push the changes.

Hi,
in your example output, it seems that numeric fields (creditLimit and salesRepEmployeeNumber) is exported as text fields:

[
{
    "id": "114",
    "customerName": "Australian Collectors, Co.",
    "contactLastName": "Ferguson",
    "contactFirstName": "Peter",
    "phone": "123456",
    "addressLine1": "636 St Kilda Road",
    "addressLine2": "Level 3",
    "city": "Melbourne",
    "state": "Victoria",
    "postalCode": "3004",
    "country": "Australia",
    "salesRepEmployeeNumber": "1611",
    "creditLimit": "117300"
},
...

]

It should be (without double quotes):

[
{
    "id": "114",
    "customerName": "Australian Collectors, Co.",
    "contactLastName": "Ferguson",
    "contactFirstName": "Peter",
    "phone": "123456",
    "addressLine1": "636 St Kilda Road",
    "addressLine2": "Level 3",
    "city": "Melbourne",
    "state": "Victoria",
    "postalCode": "3004",
    "country": "Australia",
    "salesRepEmployeeNumber": 1611,
    "creditLimit": 117300
},
...

]

Am I wrong? I have the some result with sqlite db of mine with all numeric fields.

Thank you

Great little library.

Unfortunately my host supports PHP 5.3 max so was wondering what key features of 5.4 I would need to target.