I’m using the creditsystem.com/ws API.
In order to send requests to creditsystem on my page, I have to specify the account username and password in my form (this is an account received from creditsystem).
Obviously, I can’t show those values to the end user. The fields will be hidden, but the user could browse the code and see the username/password of the creditsystem account.
How to do this securely?
One idea I had was to call a secure page via ajax (and sending a token), which will then call another ajax and return the response from the creditsystem. But I’m not sure whether this would work and whether this would be a correct approach.
I would suggest you to collect the form data inputted by the user, then using curl you could send a POST request to the website, in which you include your username, password and the other data provided by the user. In this way the call to the API is done server-side and not client-side, avoiding any problem concerning your username/password visibility.
You can find a lot of examples on the web: http://www.google.com/search?q=php+curl+post.