To create a chart, I found that Bloomberg is providing data in JSON format. Please have a look at this URL: http://www.bloomberg.com/markets/chart/data/1Y/IBM:US This sends data of the chart in JSON format. I want to get this data in an Ajax request, so that I can parse it and create a chart. But I can't use Ajax, as this is a cross domain affair. I need to use JSONP. I am not sure how Bloomberg API supports JSOP. If you know how can we use JSONP with the above url, please let me know. If there is any alternative, please let me know.
You can't. JSONP requires that the server be on board with the transaction so that it can properly handle the callback injection. If the server isn't providing it, there's no way to force it unilaterally.
What you might be able to do, subject to your hosting provider's policies, is have your server-side script load the Bloomberg data, then pass it on from there, either printed in the initial page or as a JSON/JSONP call to your own server (which is probably a better idea, as it leaves you more flexibility to update the data on the fly and also allows the page's markup to be cached).
Note that some hosting providers do not allow outgoing requests because they don't want their servers to be used as proxies (which is, after all, basically what I'm suggesting you do). You may have an option to whitelist Bloomberg, or you may just need to keep outgoing traffic to a minimum (i.e. cache the Bloomberg data on your server so that you're not refreshing it every time someone loads your page). Check your hosting terms.
Related
In a restful API, POST should be used to create, and GET should be used to read.
Sometimes, for security reasons, you can't pass sensitive variables in the URI. For example, if you have an /accounts API that requires you to pass "accountNumber". If your security team won't let you put that in the URI, then you have to use the POST method instead of the GET method to service the "read" operation, and you can then provide the account number in the request body.
That brings me to my question: If you've used up the POST method to service a read operation, how do you service the "create" operation of the same API?
"/accounts/create" wouldn't be advised because your APIs should be nouns, not verbs. It doesn't seem right to use up a different HTTP method like PUT. This issue has to come up a lot so I'm curious what people are doing to get around it?
If you're using POST for this, you are not building a RESTful service. The way I see this, you have 2 options:
Accept this, and build a more RPC-like system.
Change the id's in your application so that they are not a security risk. If knowing an id is a problem, consider using something else.
I am trying to get started with REST API calls by seeing how to format the API calls using a browser. Most examples I have found online use SDKs or just return all fields for a request.
For example, I am trying to use the Soundcloud API to view track information.
To start, I've made a simple request in the browser as follows http://api.soundcloud.com/tracks/13158665.json?client_id=31a9f4a3314c219bd5c79393a8a569ec which returns a bunch of info about the track in JSON format
(e.g. {"kind":"track","id":13158665,"created_at":"2011/04/06 15:37:43 ...})
Is it possible to only to get returned the "created_at" value using the browser? I apologize if this question is basic, but I don't know what keywords to search online. Links to basic guides would be nice, although I would prefer to stay out of using a specific SDK for the time being.
In fact, it's really hard to answer such question since it depends on the Web APIs. I mean if the API supports to return only a subset of fields, you could but if not, you will receive all the content. From what I saw on the documentation, it's not possible. The filters only allow you to get a subset of elements and not control the list of returned fields within elements.
Notice that you have a great application to execute HTTP requests (and also REST) in Chrome: Postman. This allows to execute all HTTP methods and not only GET ones and controls the headers and sent content and also see what is received back.
If you use Firefox, Firebug provides a similar thing.
To finish, you could have a look at this link to find out hints about the way Web APIs work and are designed: https://templth.wordpress.com/2014/12/15/designing-a-web-api/.
Hope it helps you and I answered you question,
Thierry
Straight from the browser bar you can utilize REST endpoints that respond to a GET message. That is what you are doing when you hit that URI, you are sending an HTTP GET message to that server and it is sending back a JSON.
You are not always guaranteed a JSON, or anything when hitting a known REST endpoint. What each endpoint returns when hit with a GET is specific to how it was built. In that case, it is built to return a JSON, but some may return an HTML page. In my personal experience, most endpoints that utilize JSON returns expect you to process that object in a computer fashion and don't give you a lot of options to get a specific field of the JSON. Here is a good link on how to process JSON utilizing JavaScript.
You can utilize REST clients (such as the Advanced REST Client for Chrome) to craft HTTP POST and PUT if a specific REST endpoint has the functionality built in to receive data and do something with it. For example, a lot of wiki style REST endpoints will allow you to create a page with a specifically crafted HTTP POST with either specific header information, URI parameters or a JSON as part of it.
you can install DHC client app in your chrome and send request like put or get
whenever, i request to server using jQuery-ajax for retrieve data that is shows in firebug so that is unsafe or hackable.
even facebook and google+ hide their json data, but how?
You could use a library like crypto-js to encrypt all data that is sent to and from the server. However, most of the time, that is an overkill when you already use https (since you should make your application hack resistant via server side validation and safety is ensured by the real encryption offered by https).
I have a website where you can request data using ajax from our servers as json (only to be used on our site). Now i found that people start using our requests to get data from our system. Is there a way to block users from using our public json API. Ideas that i have been thinking about is:
Some kind of checksum.
A session unique javascript value on the page that have to match server-side
Some kind of rolling password with 1000 different valid values.
All these are not 100% safe but makes it harder to use our data. Any other ideas or solutions would be great.
(The requests that you can do is lookup and translations of zip codes, phone numbers, ssn and so on)
You could use the same API-key authentication method Google uses to limit access to its APIs.
Make it compulsory for every user to have a valid API key, to request data.
Generate API key and store it in your database, when a user requests one.
Link: Relevant Question
This way, you can monitor usage of your API, and impose usage limits on it.
As #c69 pointed out, you could also bind the API keys you generate to the API-user's domain . You can then check the Referer URL ($_SERVER['HTTP_REFERER'] in PHP), and reject request, if it is not being made from the API-user's domain.
I'm trying to figure out how to insert/update data into offsite databases that don't have an API available. Since they don't have an API, I thought of an approach I can take to insert/update data into their database.
They would first need to build a script and place it in an accessible location on their webserver that I can access via a URL. They would be required to supply the URL to me. I then can do a cURL POST request to that URL and pass a JSON array of the data that needs to be inserted. The script on their server would handle the parsing of the JSON array and the insert/update into the database.
I think this should work, but what security issues would I be opening them up to?
What you described is them creating an API. Just because the url invokes a script and isn't written in something like Java or PhP doesn't mean its not an api.
You need to make sure your url is secure so only authorized people can invoke it, and they would probably want to do data validation.
You should let them decide whether that is easier than standing up a more robust/non-script based solution