I have an ASP.net Web API that inserts data from the user after they purchase a product in a Xamarin Application I am currently developing. However, data can also be inserted by simply calling the URL on a web browser from a desktop computer, such as:

http://www.mywebapi.com/myfunc?username=bob&prod_enabled=true

I only want data inserted AFTER the product has been purchased in my app. In the C# code for the web API, I have:

public IActionResult myfunc(string username, string prod_enabled)
{
      // Assume credentials to connect to database are validated
      using (SqlConnection connection = new SqlConnection(builder.ConnectionString))
        {
            SqlCommand cmd = new SqlCommand(
                "INSERT INTO users (username, product_enabled) "  
                "VALUES('"   username   "', '"   prod_enabled   "')", connection);

            try
            {
                connection.Open();
                int i = cmd.ExecuteNonQuery();
                connection.Close();

                if (i == 1)
                    return Content("True");

                return Content("False");
            } 
            catch (FormatException)
            {
                connection.Close();
                return Content("False");
            }
        }
}

My guess is to include a 3rd parameter that validates some sort of token from the Xamarin app, is that correct? I really want to ensure that people don't use the API to fake product purchases. There needs to be some means of verification.

Thanks!

CodePudding user response：

Do you have API? In method of controller add attribute [Authorize]. Or add parametr of user(he buys or he doesn`t buy your application). After validate user use insert data in DB

CodePudding user response：

Don't use this way for some reason.

1. It's not correct API Format.See here
2. Use parameterized queries, ORM, or stored procedures for prevent sql injectionenter link description here
3. Create Repository Layer then call your command or query form here