mtmail
commented
1 year ago Photon returns osm_type and osm_id which can be used an unique identifier of a place. There are no plans to allow searching Photon by those https://github.com/komoot/photon/issues/720
You can use Nominatim (https://nominatim.org/release-docs/develop/api/Lookup/) or Overpass API (https://wiki.openstreetmap.org/wiki/Overpass_API/Overpass_QL#By_element_id) which allow searching by those values.
That's a security issue and a vulnerable API.
The Photon API isn't vulnerable, it returns place data given a query. Your attack scenario might be a security issue on your website and Photon might be the wrong tool for your use case.
kw005
I have the location ID and need the data (location name, lat, lng etc.) for this ID. Like the use case: a user is selecting location from the website via autocomplete and I will pass the location ID, lat, lng, name etc. to my server:
...[13.088345,52.6755087,13.7611609,52.3382448],"country":"Germany","osm_key":"place","countrycode":"DE","osm_value":"city","name":"Berlin","type":"city....
but those data (lng, lat, name) can me modified via data dumper or simple Browser Plugin in this https request. So, a user could change the location name "berlin" to "see my ad here" or f*ck that website" and I would enter those data into the database. That's a security issue and a vulnerable API.
Better: I fetch the location ID only and get all other data (name, lat, lng etc.) from a second API call, made internally by the server. A curl request to an external site has also other issues (performance, no independency, DNS Firewall, API/layout change, too many curl calls for a big website etc. - just too many variables).
Is this somehow possible or could this be implemented to improve security?