Simple Example of PHP software changes to comply with Authenticated / Signed Request / Query to Amazon's AWS / Product Advertising API for affiliate websites - which may affect some homeschool websites.
Amazon documents hint at how to do this, but there's no sample code for PHP programming -
Here's how I got it to work...
// example starts with a typical AWS operation - no keys or timestamp yet
$request = 'Operation=ItemLookup&ResponseGroup=Tags&TagsPerPage=20&Marketplace=us&Version=2008-04-07&ItemId=1604591935';
if ($THE_OLD_UNSIGNED_WAY) {
// Here's the simple unsigned method that works until August 15 2009
$request = 'http://webservices.amazon.com/onca/xml?Service=AWSECommerceService&AWSAccessKeyId=YOUR_ACCESS_ID&'.$request;
$response = file_get_contents($request);
if ($response) $simple_response = simplexml_load_string($response);
} else {
// START CHANGES FOR SIGNED REQUEST
// see http://docs.amazonwebservices.com/AWSECommerceService/latest/DG/index.ht... for more details
//Substitute your real Access Id here...
$request = 'Service=AWSECommerceService&'.
'AWSAccessKeyId=YOUR_ACCESS_ID&'.
'Timestamp='.gmdate("Y-m-d\TH:i:s\Z").'&'.
$request;
// encode url - replace commas w/ %2C, replace colon w/ %3A
// Could use urlencode($request) here, but $request may already be partially encoded
$request = str_replace(',','%2C', $request);
$request = str_replace(':','%3A', $request);
//break request string into key/value pairs,
$reqarr = explode('&',$request);
//sort on byte value
sort($reqarr);
// tie back together w/ &'s
$string_to_sign = implode("&", $reqarr);
$string_to_sign = "GET\nwebservices.amazon.com\n/onca/xml\n".$string_to_sign;
//Substitute your real Secret Key here...
$signature = urlencode(base64_encode(hash_hmac("sha256", $string_to_sign, 'YOUR_SECRET_KEY', True)));
$request .= '&Signature='.$signature;
$request = 'http://webservices.amazon.com/onca/xml?'.$request;
echo 'NEW REQ '.$request;
// For this example, the above echo should yield:
// NEW REQ http://webservices.amazon.com/onca/xml?Service=AWSECommerceService&AWSAc...
// - obviously this is a bogus request as we used placeholders for AccessId and SecretKey
$response = file_get_contents($request);
if ($response) $simple_response = simplexml_load_string($response);
// if your signed request is invalid - AWS will give error response such as:
// The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.
// more help at: http://mierendo.com/software/aws_signed_query/
}
Thanks!
Thanks for posting this Mark! I never expected to find it on a homeschool blog but it works for me.
Just when I though I had perfected my Amazon code, they go and change it. I wasn't looking forward to deciphering this but you helped a lot!
Gary
Glad it helped
It took be a couple hours to get it worked out, so I figured another 15 minutes to cut/paste/document might help others. I'm a homeschool dad developing websites and web technology and this blog was the best place to publish the sample.
URL encode , and ;
I noticed you didn't try to URL encode the request's comma and semi-colon characters. I wondered why this was mentioned as a possible problem in the API doc you linked. I'm not sure that's really necessary. What are your thought on this?
urlencode
Good point, there are no commas in the sample query and I previously directly encoded the timestamp to take care of the colons. It is really necessary - the Amazon document is correct.
I just updated the sample to show direct encode of commas and colons, to handle the more general case. The code above has all the correct changes. Thanks!
Amazon zzzzzz
Hi,
I found you, (We have 2 toddlers on flexi-schooling and maybe moving to home-schooling soon) and your code, while trying to find a solution for Amazon's recent changes. They are quick to send emails saying our efforts will not be rewarded after August 15th yet provide zero (possibly buried) help for non-developers.
I have over a dozen websites selling Amazon products (via 3 or 4 systems such as ReviewAzon and Word Press plug-ins) and am thinking I may just have to dump Amazon as a model because of their unhelpfulness and my personal inadequacy ;-)
I guess my question is, do you have knowledge of any system an ordinary citizen can use (possibly site-wide with a simple call to the relevant .php) to comply with Amazon's new directive?
Thanks in advance,
Terry Ward.
Basic Amazon affiliates not affected?
Terry, the changes are required for software that queries Amazon's AWS system. My other site, http://www.everygoodbook.com does this regularly to update prices in my private database.
If you simply have Amazon links w/ affiliate tags, such as:
http://www.amazon.com/exec/obidos/ASIN/0451527925/egbk-20
... they should be unaffected. This site, http://www.everygoodpath.net is not being updated at all, as I don't make queries.
Does that help?
Thanks Mark. I suppose I
Thanks Mark. I suppose I should sigh with relief but if it is this simple (and I believe you) Amazon sending me, what amounts to scary, emails at monthly intervals telling me my commission will be forfeit and any calls to the database ignored if I don't... let me just find the quote...
"We noticed that requests with your AWS Access Key ID are not being signed and, while you have more than 30 days until the date on which authentication is required, we are, as a courtesy, sending you this email to remind you of the new authentication requirement. Please remember that calls to the Product Advertising API that are not signed will not be processed after August 15, 2009. "
... raises my hackles. To amplify this mistake they have included links within the "reminders" that invariably point to multiple "404 not found".
Sorry for venting but your site was the only place I have been able to find, in my limited free time, that addressed the issue, presented a solution and was equitable enough to offer a sounding board that was actually responded to.
When found, the Amazon forum is a deserted and unresponsive morass of loose ends.
Thank you, most heartily, for answering my post.
AWS Access Key ID
Your "AWS Access Key ID" is not your affiliate tag, but a strange string something like this:
0UPRT7ANH8MTHW3M539
I suggest you look in your Amazon account information for your Access Key (https://affiliate-program.amazon.com/gp/advertising/api/detail/your-acco...), then search your website HTML/PHP/whatever source for that key. You may use it in places you're not aware. I would hope Amazon doesn't send that ominous email unless you really make queries, but they may just send it to everyone who has an affiliate account. Now that my stuff is updated, I hope they send me an 'all-clear' email soon but they may be wishful thinking.
You're right about their links going to 404's and the documentation being hard to understand. Not a good sign for a leader of the internet revolution. Let me know if I can help further.
Same as that
Yes Mark, the hoops one has to jump through to get that (and the secret one) are being dwarfed by this latest.
I assumed that the actual apps, that I had to input my affiliate (whatever-20) code into, are calling Amazon with an unsigned key, hence the emails and my worry that nowhere within those (3) applications is there a place to input said AWS key. The "creators" of the apps are not answering emails - maybe they are working on a fix and finding the same hurdles.
If I make any progress I will, of course, let you know what I find.
Thanks,
Terry.
Thanks
Thanks for putting in the work. It is clear and concise, and most importantly - it works!
Big Thank You
This saved me a lot of pain. Thank you so much for a clear solution. Great job.
Great Tool
I recently decided to switch to Amazon after seeing a site that had a shopping cart yet was an Amazon affiliate. Took me two days to find a code that is easily modified for that purpose. Thank You.