Enhance API functionality and security: Added rate limiting and domain validation across multiple API endpoints, improved error handling for missing or invalid parameters, and refactored email handling in contact form for better security and maintainability. Updated README.md with production build instructions and prerequisites.

backend/api/ping-check.php

@@ -7,6 +7,8 @@
  * Verwendung: GET /api/ping-check.php?domain=example.com
  */
 
+require_once __DIR__ . '/../includes/api-helpers.php';
+
 header('Content-Type: application/json; charset=utf-8');
 header('Access-Control-Allow-Origin: *');
 header('Access-Control-Allow-Methods: GET, OPTIONS');
@@ -17,21 +19,15 @@ if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
     exit;
 }
 
-$domain = isset($_GET['domain']) ? trim($_GET['domain']) : '';
-
-if (empty($domain)) {
-    http_response_code(400);
-    echo json_encode(['error' => 'Domain-Parameter fehlt']);
-    exit;
+if (!checkApiRateLimit('ping-check')) {
+    rejectApiRateLimit();
 }
 
-// Protokoll und Pfad entfernen
-$domain = preg_replace('/^(https?:\/\/)?/', '', $domain);
-$domain = explode('/', $domain)[0];
+$domain = getValidatedDomainParam();
 
-if (!preg_match('/^[a-zA-Z0-9][a-zA-Z0-9\-\.]*\.[a-zA-Z]{2,}$/', $domain)) {
+if ($domain === null) {
     http_response_code(400);
-    echo json_encode(['error' => 'Ungültiges Domain-Format']);
+    echo json_encode(['error' => empty($_GET['domain']) ? 'Domain-Parameter fehlt' : 'Ungültiges Domain-Format']);
     exit;
 }
 
@@ -99,7 +95,8 @@ function checkIcmpPing(string $domain): array {
     ];
     
     // Versuche ping-Kommando
-    $pingResult = @shell_exec("ping -c 3 -W 2 {$domain} 2>/dev/null");
+    $safeDomain = escapeshellarg($domain);
+    $pingResult = @shell_exec("ping -c 3 -W 2 {$safeDomain} 2>/dev/null");
     
     if ($pingResult) {
         // Prüfe auf erfolgreiche Antworten