Quick and Dirty example of login and album get with php
chrisc
Registered Users Posts: 21 Big grins
I've been playing around with the API and serialized PHP. Here's a quick and dirty example for those who would like to get started.
I don't know how (if?) secure this method is, so use it at your own risk! Your password could be intercepted.
Question: Is there a way to generate the hash on the client side for the smugmug.login.withHash method?
[php]
//Fill these in with your values
$email = "user@example.com";
$password = "password";
$apikey = "blahblahblahblah";
// Testing so show us all the errors
error_reporting(E_ALL);
function apiSend($request) {
//This is a lot "cleaner" if you use file_get_contents($request), but my host doesn't support it, so I need to use curl
$ch = curl_init();
$timeout = 5; // set to zero for no timeout
curl_setopt ($ch, CURLOPT_URL, $request);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0); //don't verify the SSL certificate
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
$response = curl_exec($ch);
if ($response === false) {
echo curl_error($ch);
curl_close($ch);
die('Exiting... Request failed');
}
curl_close($ch);
return unserialize($response);
}
$url = "https://api.smugmug.com/hack/php/1.2.0/?method=";
$method = "smugmug.login.withPassword";
$login = $url . $method .'&EmailAddress=' . $email . '&Password=' . $password . '&APIKey='. $apikey;
$loginresponse = apiSend($login);
echo '
Login Info
';
print_r($loginresponse);
echo '';
$method = "smugmug.albums.get";
$albums = $url . $method . "&SessionID=" . $loginresponse;
$albumsresponse = apiSend($albums);
echo 'Albums
';
print_r($albumsresponse);
echo '';
?>
[/php]
I don't know how (if?) secure this method is, so use it at your own risk! Your password could be intercepted.
Question: Is there a way to generate the hash on the client side for the smugmug.login.withHash method?
[php]
//Fill these in with your values
$email = "user@example.com";
$password = "password";
$apikey = "blahblahblahblah";
// Testing so show us all the errors
error_reporting(E_ALL);
function apiSend($request) {
//This is a lot "cleaner" if you use file_get_contents($request), but my host doesn't support it, so I need to use curl
$ch = curl_init();
$timeout = 5; // set to zero for no timeout
curl_setopt ($ch, CURLOPT_URL, $request);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0); //don't verify the SSL certificate
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
$response = curl_exec($ch);
if ($response === false) {
echo curl_error($ch);
curl_close($ch);
die('Exiting... Request failed');
}
curl_close($ch);
return unserialize($response);
}
$url = "https://api.smugmug.com/hack/php/1.2.0/?method=";
$method = "smugmug.login.withPassword";
$login = $url . $method .'&EmailAddress=' . $email . '&Password=' . $password . '&APIKey='. $apikey;
$loginresponse = apiSend($login);
echo '
Login Info
';
print_r($loginresponse);
echo '';
$method = "smugmug.albums.get";
$albums = $url . $method . "&SessionID=" . $loginresponse;
$albumsresponse = apiSend($albums);
echo 'Albums
';
print_r($albumsresponse);
echo '';
?>
[/php]
0
Comments
smugmug.login.withPassword needs to be called once in order to retrieve the UserID and PasswordHash values. After that, smugmug.login.withHash can be called as long as the password isn't changed.
Cheers,
David
SmugMug API Developer
My Photos
I notice the hash keeps changing, is it tied to the session as well, or can I just generate the hash once then use it for months across different sessions (assuming I do not change my password).
you can continue to use the hash across different sessions as long as your password doesn't change.
SmugMug API Developer
My Photos
Assuming the password does not change, what else could generate a different hash?
I was testing different API calls a few months ago and noticed the same thing that chrisc noticed. Each time I use smugmug.login.withPassword, a different value is returned for PasswordHash.
Chibi Photography
pix.chibiphotography.com
a randomly generated salt value is added every time the PasswordHash is returned, hence why the PasswordHash changes.
SmugMug API Developer
My Photos
How secure are the UserID/Hash pair?
Can I keep them in plain text? I assume not, but if not, what is the benefit of the password hash over a password?
I need to store the users login information but really don't want to go thru hurdles to encrypt the data, especially when - as we all know - it's not really that hard to crack.
I hope this is some help.
Cheers,
David
SmugMug API Developer
My Photos
What are other projects doing about this?
I guess it depends on the type of app you are developing and where it is going to be deployed. In my firefox extension SmugBrowser, if the user chooses save password, I save the UserID and Password hash to an xml file in the mozilla profile directory.
SmugMug API Developer
My Photos