open All Channels
seplocked EVE Technology Lab
blankseplocked [Request/Question] ContactList API to include type (char/corp/alli)
 
This thread is older than 90 days and has been locked due to inactivity.


 
Author Topic

Cyerus
Galactic Dominion
Eternal Strife
Posted - 2011.05.03 02:26:00 - [1]
 

Hi,

I've recently been looking at implementing the ContactList (standings) into my phpBB mod.
However, there is no way to indentify what type each contact is.

Currently we have to loop through the list of contacts, checking it against CharacterName, Corporation and Alliance.
Althought I'm sure there are some checks in place to prevent this, in theory a person could name himself "Galactic Dominion" after my corporation to get access to places where my corporation has access (by standings) to. This is not only a big security risk, it's also annoying and unwise.

Here is an example of the current situation;

<eveapi version="2">
<currentTime>2010-05-29 22:35:46</currentTime>
<result>
<rowset name="contactList" key="contactID" columns="contactID,contactName,inWatchlist,standing">
<row contactID="123456" contactName="Galactic Dominion" inWatchlist="False" standing="10" />
<row contactID="797400947" contactName="CCP Garthagk" inWatchlist="True" standing="-5" />
</rowset>
</result>
<cachedUntil>2010-05-29 22:50:46</cachedUntil>
</eveapi>


I would love to have it changed to;

<eveapi version="2">
<currentTime>2010-05-29 22:35:46</currentTime>
<result>
<rowset name="contactList" key="contactID" columns="contactID,contactName,contactType,inWatchlist,standing">
<row contactID="123456" contactName="Galactic Dominion" contactType="1" inWatchlist="False" standing="10" />
<row contactID="797400947" contactName="CCP Garthagk" contactType="0" inWatchlist="True" standing="-5" />
</rowset>
</result>
<cachedUntil>2010-05-29 22:50:46</cachedUntil>
</eveapi>


Where we can simply select the information we need, knowing;
Character = 0
Corporation = 1
Alliance = 2

This will not only lead to cleaner coding, it will also close a potential securityhole.
Examples for the Corporation / Alliance ContactList follow the same principle.

Also, from what I noticed when I was testing, using the "/eve/CharacterID.xml.aspx" I was able to grab the ID numbers not only from Characters, but also from Corporation and Alliance. Perhaps a rename of this file is in order?

I'd love to hear your input on this.

~Cyerus

Lutz Major
Posted - 2011.05.03 07:09:00 - [2]
 


Cyerus
Galactic Dominion
Eternal Strife
Posted - 2011.05.03 11:52:00 - [3]
 

Originally by: Lutz Major
/corp/CorporationSheet.xml.aspx
/eve/CharacterInfo.xml.aspx
/eve/AllianceList.xml.aspx
all else: eveNames table from the database dump


That doesn't solve the problem, this creates bigger problems.
I don't want to query those 4 files to figure out what type it is, specially knowing that that would take at least 5 steps more then the other options.

Not even talking about the executiontime; quering the EVE API takes a lot of time compared to a simple PHP "if equal to .."-statement.

Lutz Major
Posted - 2011.05.03 12:58:00 - [4]
 

Originally by: Cyerus
That doesn't solve the problem, this creates bigger problems.
What problem would that exactly be?

Originally by: Cyerus
Althought I'm sure there are some checks in place to prevent this, in theory a person could name himself "Galactic Dominion" after my corporation to get access to places where my corporation has access (by standings) to. This is not only a big security risk, it's also annoying and unwise.
Security risk for whom? Do you really think, that if someone creates a pilot in EVE that calls himself 'Galactic Dominion' can access/leech off anything from your corp? Or use your corps standing for anything? Really?

Originally by: Cyerus
This will not only lead to cleaner coding, it will also close a potential securityhole.
WHAT SECURITY HOLES?

Cyerus
Galactic Dominion
Eternal Strife
Posted - 2011.05.03 14:26:00 - [5]
 

Edited by: Cyerus on 03/05/2011 14:29:02
Originally by: Lutz Major
Originally by: Cyerus
That doesn't solve the problem, this creates bigger problems.
What problem would that exactly be?

Originally by: Cyerus
Althought I'm sure there are some checks in place to prevent this, in theory a person could name himself "Galactic Dominion" after my corporation to get access to places where my corporation has access (by standings) to. This is not only a big security risk, it's also annoying and unwise.
Security risk for whom? Do you really think, that if someone creates a pilot in EVE that calls himself 'Galactic Dominion' can access/leech off anything from your corp? Or use your corps standing for anything? Really?

Originally by: Cyerus
This will not only lead to cleaner coding, it will also close a potential securityhole.
WHAT SECURITY HOLES?



The only thing I was saying, is that if you want to check a pilot to see if he's in the standings list, either by character, corporation or alliance, you have to check it using his name.
If a person is weird enough to create a character with the name of "Galactic Dominion", he would have access to the webapplication that would check for standings, because the check would be something like this with the current XML format;

if($charactername == $api_contactname || $corporationname == $api_contactname || $alliancename == $api_contactname)
{
// access granted
}
else
{
// access denied
}


What I would like to achieve but needs an XML change, is this;

if($charactername == $api_contactname && $api_contacttype == 0)
{
// access granted because of valid character
}
elseif($corporationname == $api_contactname && $api_contacttype == 1)
{
// access granted because of valid corp
}
elseif($alliancename == $api_contactname && $api_contacttype == 2)
{
// access granted because of valid alliance
}
else
{
// access denied
}


Even though it is impossible to create a character with the name of a Corporation or Alliance, it would at least close the potential securityhole. I simply dislike the idea of coding something that I know is not bulletproof.
Besides that it would lead to more customizability for standing checks.
Think for instance about;
* Reduced API checks to figure out what type the actual contact is
* Potential less false API calls to grab Alliance logos, if you want your standings page to show them. Since you can now check if a contact is an Alliance.
* Potential less false API calls to grab Chracter portraits, if you want your standings page to show them. Since you can now check if a contact is a Character.
* And many more..

~Cyerus


Lutz Major
Posted - 2011.05.03 20:25:00 - [6]
 

Originally by: Cyerus
Edited by: Cyerus on 03/05/2011 14:29:02
Originally by: Lutz Major
...


The only thing I was saying, is that if you want to check a pilot to see if he's in the standings list, either by character, corporation or alliance, you have to check it using his name.
If a person is weird enough to create a character with the name of "Galactic Dominion", he would have access to the webapplication that would check for standings, because the check would be something like this with the current XML format;

[snip]

Even though it is impossible to create a character with the name of a Corporation or Alliance, it would at least close the potential securityhole. I simply dislike the idea of coding something that I know is not bulletproof.
Besides that it would lead to more customizability for standing checks.
Think for instance about;
* Reduced API checks to figure out what type the actual contact is
* Potential less false API calls to grab Alliance logos, if you want your standings page to show them. Since you can now check if a contact is an Alliance.
* Potential less false API calls to grab Chracter portraits, if you want your standings page to show them. Since you can now check if a contact is a Character.
* And many more..

So you are saying, that CCP should change the API because you are too lazy to make a single call to the /eve/CharacterInfo to get a pilots characterID, corporationID and allianceID and THEN iterate over your standings?


How about you fix your code properly and only ask for real improvements?



*sigh*

I wish Catari or Tonto would be here ... they'd speak in plain terms what they think of your 'idea'.

Cyerus
Galactic Dominion
Eternal Strife
Posted - 2011.05.03 21:54:00 - [7]
 

Edited by: Cyerus on 03/05/2011 22:10:31
Originally by: Lutz Major


..snip..

So you are saying, that CCP should change the API because you are too lazy to make a single call to the /eve/CharacterInfo to get a pilots characterID, corporationID and allianceID and THEN iterate over your standings?

How about you fix your code properly and only ask for real improvements?


*sigh*

I wish Catari or Tonto would be here ... they'd speak in plain terms what they think of your 'idea'.


Let's keep it nice, shall we? I respect your answers, as you should respect my questions.

The problem is that you don't know what the row in the "/corp/ContactList.xml.aspx" or "/char/ContactList.xml.aspx" stands for.

* Is the contact a character?
* Is the contact a corporation?
* Or is the contact an alliance?

To my knowledge there is no easy way of getting the type of the contact with the information you get from the "ContactList.xml.aspx" API, nor from any of the other APIs for that matter.
The grab the ID-numbers from "/eve/CharacterInfo.xml.aspx" and then checking it against the "ContactList.xml.aspx" is a solid idea, and seems to be secure.
However that doesn't fix the other issue; I would like to see what type each row in "ContactList.xml.aspx" is. I think that functionality should be build in the "ContactList.xml.aspx" API. Reasons why can be found at the bottom of my previous post.

~Cyerus

Temar Radeik
Intergalactic Syndicate
Nulli Secunda
Posted - 2011.05.04 03:00:00 - [8]
 

I thought names were unique in a wide range, eg characters cant have same name as a corp
I might be wrong but thats what I thought
so if im right there would be no character being passed off as a corp member by name

Lutz Major
Posted - 2011.05.04 10:14:00 - [9]
 

Originally by: Cyerus
Let's keep it nice, shall we? I respect your answers, as you should respect my questions.
You are right.

Back to your problem: You want to know which type a contact is?

As already mentioned in the second post there are three different API pages, which provide the solution. I'm pretty sure, the API server is robust enough and can process your requests just fine. Even if you would have 1000s of contacts and do three calls for each, the API server would still not break a sweat.

Of course it would be bad manners to continously query for the different contacts so a good behaviour from your side would be to store the results locally and query them first and ask the API later. IDs never change, names can though (if someone biomasses a pilot his/her name can be recycled!).

About the 'potential less false API calls' I just say, that it is on you not to make false calls! If you get an 'does not exists' error, you are responsible for not making such a call again.

Conclusion: The API already provides all necessary information to check for the various types. No need to enhance it.

Squizz Caphinator
Woopatang
Posted - 2011.05.04 16:32:00 - [10]
 

Names are unique among characters, corporations, and alliances.

I ran into this same problem when working on ESAM, the solution is quite simple and has no security risks other than bad coding.

You already have a contactID, which is awesome. Now you can simple check the Alliance XML to see if any of the allianceID's match that contactID? No, now pull a Corporation XML using that contactID to see if it's a corporationID? No, well then you now know it must be a character, pull the CharacterSheet (no api required) using that contactID.

Falling through these steps, and then caching your find for future reference, will get you through this problem.

Cyerus
Galactic Dominion
Eternal Strife
Posted - 2011.05.05 01:10:00 - [11]
 

Hi,

Thanks for the replies.
I made the script as Lutz Major and Squizz Caphinator requested, and works correctly.

Query CorporationSheet.xml.aspx -> If error 523 it's no corporation
Query CharacterInfo.xml.aspx -> If error 522 it's no character
Query AllianceList.xml.aspx -> If not in the list it's no alliance

Which works, but you need maximum 3 extra API calls to check this out. Can be cached by ID-number if you already know the type, but for every new ID-number you will have to query it again.

With the change I am presenting, this is reduced to 0 extra calls per ID-number. With all the information already on the ContactList.xml.aspx API, it will be the only page to request to get all the information you need.

Lutz Major disagrees with me, I don't know about Squizz Caphinator.
However, I would like to hear your opinion on this idea aswell. Please keep posting your thoughts on this change.

Thanks, Cyerus

Tonto Auri
Vhero' Multipurpose Corp
Posted - 2011.05.05 02:18:00 - [12]
 

Originally by: Lutz Major
*sigh*

I wish Catari or Tonto would be here ... they'd speak in plain terms what they think of your 'idea'.

Be careful with your wishes - they could come true...

Lutz Major
Posted - 2011.05.05 06:57:00 - [13]
 

Originally by: Tonto Auri
Originally by: Lutz Major
*sigh*

I wish Catari or Tonto would be here ... they'd speak in plain terms what they think of your 'idea'.

Be careful with your wishes - they could come true...
Tonto. Nice to have you back! Very Happy


Now I wish to be a millionaire! Neutral

Tonto Auri
Vhero' Multipurpose Corp
Posted - 2011.05.05 11:32:00 - [14]
 

Originally by: Lutz Major
Now I wish to be a millionaire! Neutral

http://www.sinfest.net/archive_page.php?comicID=2888
^_^

Squizz Caphinator
Woopatang
Posted - 2011.05.05 19:42:00 - [15]
 

Originally by: Cyerus
Hi,

Thanks for the replies.
I made the script as Lutz Major and Squizz Caphinator requested, and works correctly.

Query CorporationSheet.xml.aspx -> If error 523 it's no corporation
Query CharacterInfo.xml.aspx -> If error 522 it's no character
Query AllianceList.xml.aspx -> If not in the list it's no alliance

Which works, but you need maximum 3 extra API calls to check this out. Can be cached by ID-number if you already know the type, but for every new ID-number you will have to query it again.

With the change I am presenting, this is reduced to 0 extra calls per ID-number. With all the information already on the ContactList.xml.aspx API, it will be the only page to request to get all the information you need.

Lutz Major disagrees with me, I don't know about Squizz Caphinator.
However, I would like to hear your opinion on this idea aswell. Please keep posting your thoughts on this change.

Thanks, Cyerus


Doesn't matter much to me. Having a cached AllianceList handy helps for quick checks for Alliances and the thousands of corporations that are listed there. It's all trivial.

Another iteration of the API will be coming Soon (::CCP::), until then feature requests against the API will likely be ignored. Work with what you have and make the best of it Very Happy


 

This thread is older than 90 days and has been locked due to inactivity.


 


The new forums are live

Please adjust your bookmarks to https://forums.eveonline.com

These forums are archived and read-only