I don’t have much familiarity with servers and PHP so I don’t know whether the extra headers were stripped out by the server, not picked up by the getallheaders() function or something else.
That value for Host cannot be true; it should of course be the domain of your very own server.
Most other headers you see with RequestBin are specific to their setup at Cloudfare. (Think: headers added by their load balancer, SSL off-loading, CDN.)
So, the HTTP headers you’re seeing on your own server are probably fine. [Not quite; see answers below.]
Why do you think you need more headers then?
From my post above: From the initial version (meanwhile edited) of my post above:
That does not did not refer to additional HTTP headers (which were not yet supported at the time of writing), but to URL query parameters and the content of the JSON payload.
Yes, I copied and pasted the host from the lines above when writing the questions. I get the right one in PHP.
With regards to the security I was trying to do it by the book and follow the ttn implementation for the http integration, using the
Authorization: dummy_auth and additional optional key:
add-Key: dummy_key.
However it appears difficult to do, so ?myauth=my-super-secret will have to do. Also I can use the json fields for further authentication.
Thanks for the advice
Riccardo
If you’re saying you provided values for Authorization and add-Key and got those in RequestBin but not in your own server, then that seems to be weird indeed.
The Authorization header not being visible might be a known issue on some servers, if the server only supports Basic/Digest authorization, or is strict about the Authorization: <type> <credentials> header format:
In order to get HTTP Authentication to work using IIS server with the CGI version of PHP you must edit your IIS configuration “Directory Security”. Click on “Edit” and only check “Anonymous Access”, all other fields should be left unchecked.
…and:
Workaround for missing Authorization header under CGI/FastCGI Apache:
SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0
Now PHP should automatically declare $_SERVER[PHP_AUTH_*] variables if the client sends the Authorization header.
(It’s an old reference and I’ve not read any of the other comments.)
All this would not explain why add-Key would be missing, if you’ve indeed configured that too.
(@rmeldo, meanwhile I understand that nowadays the HTTP Integration supports setting an Authorization header or custom header, which it did not support in its initial release. I’ve edited my earlier answers for future readers.)
@arjanvanb
correct, but it was just a sample to help I do not have any table, and my sql instance is firewalled only with my admin IP
but anyway no sql admin would allow internet user to delete data or tablel not ?
Though your link refers to using MQTT to subscribe to a TTN server from Node-RED, in the context of the HTTP Integration TTN (or anyone) would be able to post data to Node-RED. With bad data, Node-RED would then craft a SQL statement one might not expect, no matter if the database can be accessed directly from the Internet or not.
Of course, SQL injection is also about exposing data…
@arjanvanb
Sorry my fault, the Node Red TTN in my stream was over MQTT not HTTP, since the goal was to insert into mySQL data from TTN. Even if original question was with http integration worth mentioning other simple solution can work.
By the way, I do not consider my example as bad, since data (payload) is parsed by a function in between MQTT and mySQL Insert. Each payload byte is decoded to be transformed by number so whatever you push in to the function, I think you would never be able to do any SQL command injection with dangerous commands in this example
Afterward of course the transfer between the output of Node Red to MySQL is relevant to network security and all rules applies (authentication, encryption, firewalling, …)
I found your code, while working on a PHP script, that react on a uplink message (from HTTP Integration) and making a downlink message to the device.
I’ve tried to use your code, to make my webserver, though Curl, make a Downlink-message.
But i do not get any result and no error.
Could i ask you (or maybe someone else ) to make an example, how to do this, or maybe point out my errors in this code:
<?php
//API Url (Got it from Uplink http-Integration, removed the key for this public forum)
$url = "https://integrations.thethingsnetwork.org/ttn-eu/api/v2/down/hrmansen1/http?key=ttn-account-v2.[REMOVED]";
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_POST, 1);
$jsonDataEncoded = "{\"dev_id\":\"hrmansenuno\",\"port\":1,\"confirmed\":false,\"payload_raw\":\"00\"}";
curl_setopt($ch, CURLOPT_POSTFIELDS, $jsonDataEncoded);
curl_setopt($ch, CURLOPT_HTTPHEADER, array("Content-Type: application/json"));
//Execute the request
$result = curl_exec($ch);
echo "Result:<br/>";
echo $result;
echo "<br>";
echo "Errorcode: ";
echo curl_error($ch)
?>
Unfortunately it did’nt change anything. I changed the line for the Json message to: $jsonDataEncoded = "{\"dev_id\":\"hrmansenuno\",\"port\":\"1\",\"confirmed\":\"false\",\"payload_raw\":\"" . base64_encode("00") . "\"}";
But still get no result at the device, and no line in the Data log in the console.
Any ideas or php examples are welcome
Hi Again.
I have experimented a little more since last time. I have found that my post date could be reduced to just dev_id and payload_raw.
I also found some example code from another project, and now i got my downlink message to be shown in the Data section of my device. But somehow my base64 encoding, ends with a extra 30 added to every digit
Just now while i am typing this, realizing that its the 30hex from the ascii character “0”
Thanks for the help!
Here’s my corrected code if anybody else is interested:
That probably indeed does the job, assuming you might also want to send much larger values, up tot 255 for each value. If you want to set “on” or “off”, then you can combine 8 states in a single byte. See https://www.thethingsnetwork.org/docs/devices/bytes.html
Hi,
I’m not sure if I need to open a new topic, but all the above is also applicable for my question.
I’m trying to do the same, but I get stuck in the part before this topic starts;
I have webhook.site working, but now I can’t figure out what to fill in in the http integration window to make
$content = file_get_contents(“php://input”);
to work in my php-script.
I’m now locally working with xampp, so localhost. But i guess I need to place my php script somewhere on a server?
I have a Azure and visualstudio environment available (also where my database and API is). But dont know what is needed.
Thanks.
) to make an example, how to do this, or maybe point out my errors in this code:
