Slim API and Swagger


#1

Hi,

I have just got Slim PHP Framework with composer. I want to use slim framework for API. I developed api with all logic in one place. but when I decided to use Swagger and generated server code from sample petstore from swagger editor. It give me different standard like concept of modules structure as below.

Now I am not getting proper document or sample example to use swagger with slim in recommended way ( using namespace Modules as per swagger recommendation)
Thanks in advance.

My sample working sample index.php API is as below need help to change same in swegger recommended way.

<?php
/**
 * Swagger Petstore
 * @version 1.0.0
 */

require_once __DIR__ . '/vendor/autoload.php';

$app = new Slim\App();

/**
 * GET findPetsByStatus
 * Summary: Finds Pets by status
 * Notes: Multiple status values can be provided with comma separated strings
 * Output-Formats: [application/xml, application/json]
 */
$app->GET('/wines/{name}', function($request, $response, $args) {
            

			$id=$args['name'];
// check for required params
    //verifyRequiredParams(array('name'));

    $sql = "SELECT *  FROM wine WHERE id=$id";

    try {
       $db = getConnection();
       $stmt = $db->prepare($sql);
       $stmt->bindParam("id", $id);
       $stmt->execute();
       $wines = $stmt->fetchAll(PDO::FETCH_OBJ);


       $db = null;
     #####  echo '{"wine": ' . json_encode($wines) . '}';

    } catch(PDOException $e) {
        echo '{"error":{"block1":'. $e->getMessage() .'}}';
       #debug_print_backtrace();
    }

            $queryParams = $request->getQueryParams();
            $status = $queryParams['status'];    
            
            
            $response->write('How about implementing findPetsByStatus as a GET method ?');
            return $response;
            });

			
			$app->run();

function getConnection() {
    $dbhost="localhost";
    $dbuser="root";
    $dbpass="";
    $dbname="cellar";
    $dbh = new PDO("mysql:host=$dbhost;dbname=$dbname", $dbuser, $dbpass);
    $dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
    return $dbh;
}

#2

I can’t help you with the Swagger question, but this is not how you do prepared statements. As it stands, this code is susceptible to a SQL Injection attack as PHP will process the $id in the $sql variable and place whatever comes out of $args['name']. It’s pretty easy to fix, however:

$id=$args['name'];
$sql = "SELECT * FROM wine WHERE id=:id";
try {
    $db = getConnection();
    $stmt = $db->prepare($sql);
    $stmt->bindParam(":id", $id);
    $stmt->execute();

I would also recommend that you tell the bindParam() method specifically what the data type is, such as PDO::PARAM_STR or PDO::PARAM_INT. It’s not mandatory, but it can help where the type can be ambiguous (such as when someone has defined an enum with the values 1 and 0)


#3

Thanks Antnee,

I really appreciate, I am new and your suggestion will definitely going to help us specially for SQl Injection. Point Noted.

If any help of swagger with Slim. How we can use Swagger & slim together ?