Reverse Search by ID to improve security

[kw005]

I have the location ID and need the data (location name, lat, lng etc.) for this ID. Like the use case: a user is selecting location from the website via autocomplete and I will pass the location ID, lat, lng, name etc. to my server:

...[13.088345,52.6755087,13.7611609,52.3382448],"country":"Germany","osm_key":"place","countrycode":"DE","osm_value":"city","name":"Berlin","type":"city....

but those data (lng, lat, name) can me modified via data dumper or simple Browser Plugin in this https request. So, a user could change the location name "berlin" to "see my ad here" or f*ck that website" and I would enter those data into the database. That's a security issue and a vulnerable API.

Better: I fetch the location ID only and get all other data (name, lat, lng etc.) from a second API call, made internally by the server. A curl request to an external site has also other issues (performance, no independency, DNS Firewall, API/layout change, too many curl calls for a big website etc. - just too many variables).

Is this somehow possible or could this be implemented to improve security?

[mtmail]

Photon returns osm_type and osm_id which can be used an unique identifier of a place. There are no plans to allow searching Photon by those #720

You can use Nominatim (https://nominatim.org/release-docs/develop/api/Lookup/) or Overpass API (https://wiki.openstreetmap.org/wiki/Overpass_API/Overpass_QL#By_element_id) which allow searching by those values.

That's a security issue and a vulnerable API.

The Photon API isn't vulnerable, it returns place data given a query. Your attack scenario might be a security issue on your website and Photon might be the wrong tool for your use case.

[kw005]

@you can use Nominatim: A curl request to an external site has also other issues (performance, no independency, DNS Firewall, API/layout change, too many curl calls for a big website etc. - just too many variables).

The attack scenario is a general issue, every user can intercept requests.

It was just a feature wish. It would be quite helpful to have it.

[mtmail]

Nominatim and Overpass API are installable software, like photon.