PHP Development API Interface Security Verification

API interface for PHP

In the actual work, the use of PHP to write API interface is often done, PHP written interface, the front desk can be linked to get the data provided by the interface, and the returned data is generally divided into two cases, XML and JSON, in this process, the server does not know, the source of the request is what, It's possible that someone else illegally calls our interface to get the data, so we need to use security authentication.

Verification Principle

principle

It can be seen clearly that the foreground wants to invoke the interface and needs to use several parameters to generate the signature.

• Timestamp: Current Time
• Random numbers: Randomly generated random numbers
• Password: Before the background development, a mutual know the identity, equivalent to the password
• Algorithm rules: Agreed good operation rules, the above three parameters can be used to generate a signature algorithm rules.

The foreground generates a signature that, when required to access the interface, passes the timestamp, random number, and the signature through the URL to the background. The background gets the timestamp, after the random number, computes the signature by the same algorithm rule, then compares with the signature which passes over, the same words, returns the data.

algorithm Rules

In front of the background interaction, the algorithm rules are very important, the front and back of the table through the algorithm rules to calculate the signature, as to how the rules are formulated, see how happy you come.

My algorithm rule is

1. timestamp, random number, password sorted in first letter case
2. Then stitch into a string
3. For SHA1 encryption
4. Re-MD5 Encryption
5. Convert to uppercase.

Front desk

I don't have a real front desk here, just use a PHP file instead of the foreground, and then simulate get requests via curl. I am using the TP framework, the URL format is pathinfo format.

Source Code

<?php/** * Created by Phpstorm. * User:administrator * DATE:2017/3/16 0016 * time:15:56 */namespace client\controller;use Think\Controller;class Client    Controller extends controller{const TOKEN = ' API ';        Simulates the foreground Request Server API interface Public Function Getdatafromserver () {//Timestamp $timeStamp = time ();        Random number $randomStr = $this-Createnoncestr ();        Generate Signature $signature = $this-Arithmetic ($timeStamp, $randomStr);        URL address $url = "http://www.apitest.com/server/server/respond/t/{$timeStamp}/r/{$randomStr}/s/{$signature}";        $result = $this-HttpGet ($url);    Dump ($result);    }//curl simulates a GET request.        Private Function HttpGet ($url) {$curl = Curl_init ();        which address curl_setopt ($curl, Curlopt_url, $url) needs to be requested;        Represents the output of the requested data to a variable in a file stream curl_setopt ($curl, curlopt_returntransfer,1);        $result = curl_exec ($curl);        Curl_close ($curl);    return $result; }//Randomly generated string private functionCREATENONCESTR ($length = 8) {$chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";        $str = "";        for ($i = 0; $i < $length; $i + +) {$str. = substr ($chars, Mt_rand (0, strlen ($chars)-1), 1);    } return "Z". $str; }/** * @param $timeStamp timestamp * @param $randomStr random String * @return string return signature */Private function AR        Ithmetic ($timeStamp, $randomStr) {$arr [' timeStamp '] = $timeStamp;        $arr [' randomstr '] = $randomStr;        $arr [' token '] = Self::token;        Sort by first letter case ($arr, sort_string);        Stitching into a string $str = Implode ($arr);        Encrypt $signature = SHA1 ($STR);        $signature = MD5 ($signature);        Convert to uppercase $signature = Strtoupper ($signature);    return $signature; }}

Server-Side

Accept foreground data for verification

Source Code

<?php/** * Created by Phpstorm. * User:administrator * DATE:2017/3/16 0016 * time:16:01 */namespace server\controller;use Think\Controller;class Server    Controller extends controller{const TOKEN = ' API ';        Response to the foreground request public function respond () {//verify identity $timeStamp = $_get[' t '];        $RANDOMSTR = $_get[' R '];        $signature = $_get[' s '];        $str = Arithmetic ($timeStamp, $randomStr), $this            if ($str! = $signature) {echo "-1";        Exit        }//Analog data $arr [' name '] = ' API ';        $arr [' age '] = 15;        $arr [' address '] = ' zz ';        $arr [' IP '] = "192.168.0.1";    echo Json_encode ($arr); }/** * @param $timeStamp timestamp * @param $randomStr random String * @return string return signature */Public function Ari        Thmetic ($timeStamp, $randomStr) {$arr [' timeStamp '] = $timeStamp;        $arr [' randomstr '] = $randomStr;        $arr [' token '] = Self::token;       Sort by first letter case ($arr, sort_string); Stitching into a string $str = Implode ($arr);        Encrypt $signature = SHA1 ($STR);        $signature = MD5 ($signature);        Convert to uppercase $signature = Strtoupper ($signature);    return $signature; }}

Results

string(57) "{"name":"api","age":15,"address":"zz","ip":"192.168.0.1"}"

Summary

This method is only one of the methods, in fact, there are many methods can be safely verified.

http://blog.csdn.net/li741350149/article/details/62887524

PHP Development API Interface Security Verification