tags:

views:

37

answers:

5

I have never used Api's before. I am trying to sms enable my website. My sms provider provides a HTTP API to send messages from my website. It works well. However, its not secure. The api requires number, message, Username and password. And can be sent using post or get. There is no https support. I am currently passing the number and message which the user enters, to a page which reposts the values along with username and password using curl. The http headers still contain the post fields, meaning, anyone can see my username and password. Is there a way around this? I know switching provider is an option, since they dont have smtp, xml or https apis.

+1  A: 

If they can't provide SSL, then it will be visible to everyone between you and the remote server. That's just the way things work.

Daniel Egeberg
+1  A: 

Unless you have access to the server side code, you cannot do anything about this.

If you do have access to the server side code, you can use a two-way encryption algorithm such as this one.

Jacob Relkin
+4  A: 

Unfortunately there's nothing you can do.

One popular SMS gateway API that supports HTTPS is Clickatell.

It covers 819 networks in over 220 countries. Apart from HTTP and HTTPS, they also support SMPP, SMTP, FTP, XML, SOAP and COM.

The HTTP/S method works in a very similar way to the service you are describing. If I remember correctly, you'd pass all the details through a GET request. You could keep using curl as you are doing now.


As for message costs, Clickatell uses a credit based system. 1 credit will generally mean 1 message, but some destinations may charge a bit less (usually 0.8 of a credit) and some may charge more (usually 1.5 or 2). Apparently this depends on the network operators in the particular region. (Source)

1 credit is currently priced at USD 0.03 / EUR 0.022 / GBP 0.02. There is a minimum requirement of 400 credits, so the initial investment can be of just USD 12. (Source)

Daniel Vassallo
A: 

can i mail the number and text to my mailserver, which can trigger a php script based on contents of the mail which will then post it to the sms gateway with the username and password? Possible? Atleast that way the end user wont be able to see the username and password.

abel
A: 

The client side should not include your password. Only the user related details (sms, phone number) should be entered there and SENT TO A PAGE ON YOUR SERVER. The page on your server is where the sms provider password is held. The page then calls the sms provider. In this case https is less important (the data is not visible to end users, only to people with access to the network between your server and the sms provider server).

Nir