Well, it depends exactly how it works. If you're sending a username and password as clear text then it's potentially sniffable by someone somewhere.
It's not sent on an HTTPS connection, which would be my first concern, but potentially the API may well check the referring URL too, I'd check that, although even it is spoofable.
At the very least, I'd make use a randomly generated password that you don't use anywhere else, and change it regularly. Then at least, the only real risk is that someone will sniff the password and send SMS messages using your account. If you have to get this going fast, then I'd do that, but at the same time I'd contact Clickatell and point out this flaw in their security.
Ideally, they could use some kind of dynamic pass-token system, using your password and the message to be sent or something crypted to an md5 key or more secure equivalent.
Code: Select all
<?php
$username="bobsusername";
$password="bobspassword";
$smsmessage_to_send = "Hi, this is a text message";
$keytosystem = md5($password.$smsmessage_to_send);
$url = "http://api.clicktell.com/?username=$username&passkey=$keytosystem";
//etc...
?>
That would be my ideal, but obviously you'd need to convince Clickatell to use a different system. That said, their current system is shockingly open to sniffers.