Starting next month, any requests to the Amazon Product Advertising API need to be cryptographically signed. Amazon has given about three months notice and the deadline is quickly approaching. I use the Amazon web services on several sites and came up a fairly generic way to convert an existing URL to a signed URL. I’ve tested with several sites and a variety of functions, and this is working well for me so far:
function signAmazonUrl($url, $secret_key)
{
$original_url = $url;
// Decode anything already encoded
$url = urldecode($url);
// Parse the URL into $urlparts
$urlparts = parse_url($url);
// Build $params with each name/value pair
foreach (split('&', $urlparts['query']) as $part) {
if (strpos($part, '=')) {
list($name, $value) = split('=', $part, 2);
} else {
$name = $part;
$value = '';
}
$params[$name] = $value;
}
// Include a timestamp if none was provided
if (empty($params['Timestamp'])) {
$params['Timestamp'] = gmdate('Y-m-d\TH:i:s\Z');
}
// Sort the array by key
ksort($params);
// Build the canonical query string
$canonical = '';
foreach ($params as $key => $val) {
$canonical .= "$key=".rawurlencode(utf8_encode($val))."&";
}
// Remove the trailing ampersand
$canonical = preg_replace("/&$/", '', $canonical);
// Some common replacements and ones that Amazon specifically mentions
$canonical = str_replace(array(' ', '+', ',', ';'), array('%20', '%20', urlencode(','), urlencode(':')), $canonical);
// Build the sign
$string_to_sign = "GET\n{$urlparts['host']}\n{$urlparts['path']}\n$canonical";
// Calculate our actual signature and base64 encode it
$signature = base64_encode(hash_hmac('sha256', $string_to_sign, $secret_key, true));
// Finally re-build the URL with the proper string and include the Signature
$url = "{$urlparts['scheme']}://{$urlparts['host']}{$urlparts['path']}?$canonical&Signature=".rawurlencode($signature);
return $url;
}
To use it, just wrap your Amazon URL with the signAmazonUrl() function and pass it your original string and secret key as arguments. As an example:
$xml = file_get_contents('http://webservices.amazon.com/onca/xml?some-parameters');
becomes
$xml = file_get_contents(signAmazonUrl('http://webservices.amazon.com/onca/xml?some-parameters', $secret_key));
Like most all of the variations of this, it does require the hash functions be installed to use the hash_hmac() function. That function is generally available in PHP 5.1+. Older versions will need to install it with Pecl. I tried using a couple of versions that try to create the Hash in pure PHP code, but none worked and installing it via Pecl was pretty simple.
(Note that I’ve slightly revised this code a couple of times to fix small issues that have been noticed)
Doesn’t work mate. Just “The request signature we calculated does not match the signature you provided” notice.
Good idea though
The code works for me on quite a few sites. If you still need a solution, try out http://www.apisigning.com/
Great solution – Thank you!
Works great for all sites – saves a lot of work!
YOU ROCK! Works perfectly.
Many thanks Brandon – easy and painless to implement.
Cool implementation, saves me a lot of time reading Amazon API manuals. By the way, it does not work with any special characters like ÄÖ etc. in the url. As soon as i have a proper implementation for this i will post it here.
Cool man, this snippet of code saved me a lot of time.
Thanks from me, my time and my finances 😛
hey
I am new to php…
can any one tell me what we have to pass as a url in this function….it will be great if some one show me the argument as a sample being passed to this function.
thnx in advance….
@Mariana,
You should call the function and pass it any unsigned URL. IE:
http://free.apisigning.com/onca/xml?Service=AWSECommerceService&AWSAccessKeyId=YOUR_KEY_HERE&Operation=ItemLookup&ItemId=0596006810&ResponseGroup=ItemAttributes
hello, this thing is driving me crazy I don’t get why Amazon required to make such a complicated request. I tried your script but it just keeps saying the signature is wrong.
$url = signAmazonUrl(“http://ecs.amazonaws.com/onca/xml?Service=AWSECommerceService&AWSAccessKeyId=AKIAJF2HBLPGGOIGB4HA&Operation=ItemLookup&ItemId=B0027FFT70&ResponseGroup=Large”);
this is the request, i added my secret key by defying it in your script.
It doesn’t work for me.
@Sandro
In your request, your ampersands have been URL Encoded, and they shouldn’t be when passing to that function.
Also, you can use the free signing service that I offer at APISigning.com where all you have to do is change the hostname in your original request to make it work.
Thanks,
Brandon Checketts
Thank you now it works just fine.
I tried this script and it didn’t work for me so I made simplified version for my needs.
For those who cannot get this script to work, feel look at my code as it may help you – http://www.jamiebicknell.com/blog/27-Oct-09/View-Your-Amazon-Wishlist-via-PHP
Thank you
@Jaime,
That looks like a good simplification. I’ve intentionally made mine take some extra steps so that the code is more self-explanatory and easy to follow. Yours will also throw a few PHP Notices which I generally try to avoid.
@Brandon I can’t see/find any PHP Notices?
@Jamie,
Actually, in looking at it in more detail, the code that I originally thought would cause the Notice, it looks like I was wrong. Code looks pretty good to me.
Cheers dude
Working perfectly .. thank you so much.
Thanks Brandon, You saved me a ton of work!!! Works beautifully. First I was getting a Signature not matched error, but later I found my URL was not properly encoded.
I have already wasted my 3 days.. for this…
But you Rock Man.. woww…..
Works in first attemp… Just superb…
Many thanks, Brandon !
It works perfectly…
Thank you! Works for me in July 2015.
So much better than maintaining an the php API for light work, like retrieving book images.