# 09 — API / entry-point reference This is a procedural, file-as-endpoint app. Each PHP file that's publicly reachable acts as a distinct HTTP endpoint. This document catalogs them. ## Public entry points (HTTP) ### `httpdocs/index.php` - **Route**: `GET /` - **Role**: Main dispatcher - **Flow**: `session_start` → load dsX → set `$include_dir` → dispatch to `search/results.php` or static page based on `$_GET` - **Inputs**: `q` (query), `loc` (location), `cat` (category), `page` - **Notes**: Hardcoded `$include_dir` path ### `httpdocs/admin.php` - **Route**: `GET /admin.php` - **Role**: Admin gateway - **Distinguishing behavior**: sets `$IS_ADVERTISER = 1` flag to enable admin-only branches in shared templates - **Auth**: requires `_islogged` cookie + role=admin on the session ### `httpdocs/r.php` - **Route**: `GET /r.php?id=&url=` - **Role**: Click redirect + log writer - **DB writes**: `INSERT INTO iweb_jh_click_log`, debit `iweb_accounts.balance` - **Response**: 302 → `dest` - **Security**: open-redirect risk if `url` is pass-through; see [08-security-audit.md](08-security-audit.md) ### `httpdocs/ip_zip.php` - **Route**: `GET /ip_zip.php` - **Role**: Returns the requester's ZIP/postal code via GeoIP - **Response**: JSON (inferred) - **Data source**: MaxMind `.dat` files in `httpdocs/maxmind/assets/` ### `httpdocs/joe.php` - **Route**: `GET /joe.php?...` - **Role**: **Dev artifact** — queries Yellow Pages public API through a hardcoded internal proxy - **Action**: should be deleted (see [08-security-audit.md](08-security-audit.md) #12) ### `httpdocs/advertisers/index.php` - **Route**: `GET /advertisers/` - **Role**: Advertiser portal landing - **Auth**: session-gated - **Sets**: `$IS_ADVERTISER = 1` ### `httpdocs/publishers/index.php` - **Route**: `GET /publishers/` - **Role**: Publisher platform landing ### `httpdocs/publishers/affiliates.php` - **Route**: `GET /publishers/affiliates.php` - **Role**: Affiliate earnings / signup UI ### `httpdocs/account/index.php` - **Route**: `GET /account/` - **Role**: Account dashboard (balance, history, settings) ### `httpdocs/pages/index.php` - **Route**: `GET /pages/?page=` - **Role**: Static-content router - **Valid values of `page`**: `about`, `advertisers`, `privacy`, `publishers`, `terms` - **Legacy routes**: `/pages/advertisers_old.php`, `/pages/publishers_old.php` — still reachable; delete ### `httpdocs/support/index.php` - **Route**: `GET /support/` - **Role**: Support ticket UI + FAQs ### `httpdocs/auth/index.php` - **Route**: `GET /auth/` - **Role**: Login page - **Form action**: `POST /auth/scripts/login.php` ### `httpdocs/auth/scripts/login.php` - **Route**: `POST /auth/scripts/login.php` - **Inputs**: `username`, `password`, `captcha_answer` - **On success**: sets `_islogged` cookie + session, redirects to portal ### `httpdocs/auth/scripts/_login_continue.php` - **Route**: likely internal include; confirm whether it's reachable as a standalone endpoint ## Public entry points (HTTPS-only) ### `httpsdocs/index.php` - **Route**: `GET /` on the HTTPS vhost - **Role**: secure entry; may redirect to `/accounts.php` or to the appropriate portal ### `httpsdocs/admin.php` - **Route**: `GET /admin.php` on the HTTPS vhost - **Role**: admin UI under HTTPS ### `httpsdocs/r.php` - **Route**: `GET /r.php?id=...` on the HTTPS vhost - **Role**: click redirect logger — **has SQL injection vulnerabilities** (lines 123, 394) ### `httpsdocs/search.php` - **Route**: `GET /search.php` - **Role**: secure search endpoint ### `httpsdocs/accounts.php` - **Route**: `GET|POST /accounts.php` - **Role**: account management form ### `httpsdocs/receive-payment.php` - **Route**: `POST /receive-payment.php` - **Role**: payment callback receiver - **Called by**: PayPal IPN, Authorize.net CGI - **DB writes**: `INSERT INTO iweb_acct_deposits`, updates `iweb_acct_summary` ### `httpsdocs/settings.php` - **Route**: `GET|POST /settings.php` - **Role**: unclear at scan depth — either user settings UI or an admin config endpoint. Audit before exposing further. ### `httpsdocs/search_old/`, `httpsdocs/validation_old/` - **Legacy directories** — confirm they aren't served by Apache's directory indexing; if they are, add `` denies ## dsX internal endpoints (reachable if mapped) These live under `httpdocs/search/` and may be referenced by hard-coded URLs in templates: - `httpdocs/search/results.php` — search results renderer - `httpdocs/search/accounts.php` — account management from dsX - `httpdocs/search/parking.php` — parked-domain handler - `httpdocs/search/inlinehor-media.php` — horizontal inline media ads - `httpdocs/search/admin.php` — dsX admin - `httpdocs/search/r.php` — dsX redirect (parallel to root r.php) - `httpdocs/search/api.php` — unspecified API Any of these is reachable if Apache resolves URLs relative to DocumentRoot. ## Not-an-API files worth noting - `httpdocs/search/phpinfo.php` — delete - `httpdocs/submissions/test/` — scrapers, delete ## Conventions - No content-type negotiation — `application/json` where needed is set explicitly inside the PHP file - No versioning (no `/v1/...` prefix) - Mixed `GET`/`POST` handling inside single files (e.g., `accounts.php` serves both the form and the submit) - No consistent error format — some files `die(json_encode(...))`, others `echo "error: ..."` as plain text, others `header("Location:")` away ## Recommendations 1. Add a dispatcher / front controller that maps URLs to controllers 2. Standardize on JSON error shape: `{status, code, title, message}` (same convention YouPortal uses) 3. Remove `_old`, `_bak`, and dev-artifact endpoints 4. Introduce URL versioning (`/api/v1/...`) for anything called from JS clients — current embed code in publisher widgets may be fragile on any URL change