I have an ASP.net Web API that inserts data from the user after they purchase a product in a Xamarin Application I am currently developing. However, data can also be inserted by simply calling the URL on a web browser from a desktop computer, such as:
http://www.mywebapi.com/myfunc?username=bob&prod_enabled=true
I only want data inserted AFTER the product has been purchased in my app. In the C# code for the web API, I have:
public IActionResult myfunc(string username, string prod_enabled)
{
// Assume credentials to connect to database are validated
using (SqlConnection connection = new SqlConnection(builder.ConnectionString))
{
SqlCommand cmd = new SqlCommand(
"INSERT INTO users (username, product_enabled) " +
"VALUES('" + username + "', '" + prod_enabled + "')", connection);
try
{
connection.Open();
int i = cmd.ExecuteNonQuery();
connection.Close();
if (i == 1)
return Content("True");
return Content("False");
}
catch (FormatException)
{
connection.Close();
return Content("False");
}
}
}
My guess is to include a 3rd parameter that validates some sort of token from the Xamarin app, is that correct? I really want to ensure that people don’t use the API to fake product purchases. There needs to be some means of verification.
Thanks!
2
Answers
Do you have API? In method of controller add attribute [Authorize]. Or add parametr of user(he buys or he doesn`t buy your application). After validate user use insert data in DB
Don’t use this way for some reason.