php - Slim framework - API Security


So I have a RESTful API, but I want to be safe so that not everyone can do anything.

$app->get('/users' , function(Request $request, Response $response){
  $sql = "SELECT * FROM users";

    // Get db object
    $db = new db();
    // Connect
    $db = $db->connect();

    $stmt = $db->query($sql);
    $users = $stmt->fetchAll(PDO::FETCH_OBJ);
    $db = null;
    echo json_encode($users);
  } catch(PDOException $e){
    echo '{"error": {"text": '.$e->getMessage().'}}';

So when i go tohttp://localhost/API/users i get all users into a json table.

Inside my database my data are stored like[{"id":"1","username":"werknemer","password":"...","level":"1","name":"piet","surname":"jan","email":"[email protected]"}] I would like everyone to see his own table through my API and if you arelevel 5.

Is there a solution for that?




Your example is pretty basic and it's a starting point for using some "auth" concept in your REST APIs.

First things first: Authentication != Authorization.

Split these two concepts, the first one is going to make a user registered and logged into your app, the second one makes the "hard work" that you are looking for in this example, so check if a specific user is able to do some stuff.

For authentication, you can provide all the methods that you want, but remember that in REST your app MUST be stateless and you should provide a token (passed via HTTP Headers) that will be used by your application for understanding if the user is LOGGED and CAN do some stuff.

That's the key concept: A token (see JWT or OAUTH) should be used for authorization, and a very basic authorization is: "USER LOGGED".

In your example, you should use the middlewares for filter the http request, and don't enter into the router callback if the user is not authorized (logged in || have not a minLevel:5).

Checkout JWT or OAuth2 for this kinda stuff for more info.

Check this out -> ( for a basic example of JWT generation in a slim app (if you are going to use this boilerplate PLEASE do not use the md5 for hash password this is a pretty basic example)




You need to add authentication and then authorisation to your API.

Authentication is the process of knowing who is accessing the API. A good way to do this is to you OAuth 2. I like and use Brent Shaffer's OAuth 2.0 Server library. contains an implementation of an API that using OAuth 2 to authorise users.

Once you know who is logging in, you then need to limit their access based on their role (or level). This is called access control. I like the zend components for this. Try zend-permissions-rbac - there's a good article on how to use it on the ZF blog.

People are also looking for solutions to the problem: php - SQL Statement/ Codeigniter appointment booking


Didn't find the answer?

Our community is visited by hundreds of web development professionals every day. Ask your question and get a quick answer for free.

Ask a Question

Write quick answer

Do you know the answer to this question? Write a quick response to it. With your help, we will make our community stronger.

Similar questions

Find the answer in similar questions on our website.