thinkphp Communication Security Authentication during the development of the app interface

For our well-written interface, if it can be directly accessed without security certification, it will have a very large security risk to our site, some hack may directly use your interface to operate the database, the consequences can not be measured. So how do you make effective security validation? Here I used the development of the Access_token mechanism, let the app front-end developers to submit AppID and Appsecert to get token, the server side of token cache for 7,200 seconds, If the client requests tokens directly each time, the token will be reset every time, so the client can also cache the same, the client may determine whether the local token exists, if there is a direct token parameter to access our API, The service side to determine the validity of token and give the corresponding return, the client cache token if it fails, the direct request to obtain token, the idea is probably the case, the following I provide a complete reference code, if there is a better way, please advise

<?phpnamespace Home\controller; UseThink\controller;classIndexcontrollerextendsController { Public $appid= ' dmm888 ';  Public $appsecret= ' http://cnblogs.com/dmm888 ';  Public functionindex () {$this->show (' <style type= "text/css" >*{padding:0; margin:0;} div{padding:4px 48px;} body{background: #fff; font- Family: "Microsoft Jas Black"; Color: #333; font-size:24px} h1{font-size:100px; font-weight:normal; margin-bottom:12px;} p{line-height:1.8em; font- size:36px}</style><div style= "padding:24px 48px;" > ); }     Public functionTest () {if(!isset($_get[' token '])){            $this->apireturn (4001, ' invalid token ')); }Else if(! S$_get[' token '])){                        $this->apireturn (4001, ' invalid token ')); }         $data=Array(            ' id ' =>2, ' username ' = ' The Night of the Ming ', ' info ' =Array(' Age ' =>24, ' address ' = ' Academy road ', ' url ' = ' http://cnblogs.com/dmm888 ')        ); if($data){            $this->apireturn (200, ' Read user information success ',$data,XML); }    }     Public functionGetToken () {$ori _str= S ($this->appid. ' _‘.$this->appsecret);//here AppID and Appsecret I write fixed, is actually obtained through the client so here we can do a lot such as Judge AppID and Appsecret validity, etc.        if($ori _str){//re-fetch and delete the previous tokenS$ori _str,NULL); }        //here is the mechanism of token generation you can also define yourself        $nonce=$this-&GT;CREATENONCESTR (32); $TMPARR=Array($nonce,$this->appid,$this-Appsecret); Sort($TMPARR,sort_string); $tmpStr=implode($TMPARR ); $tmpStr=SHA1($tmpStr ); //Echo $tmpStr; Cache ' A ' =>b and ' B ' =>a format are done hereS$this->appid. ' _‘.$this->appsecret,$tmpStr, 7200); S ($tmpStr,$this->appid. ' _‘.$this->appsecret,7200); }     /** * Function: Generate random string, not longer than 32 bits*/     functionCREATENONCESTR ($length= 32 )     {        $chars= "abcdefghijklmnopqrstuvwxyz0123456789"; $str="";  for($i= 0;$i<$length;$i++ )  {              $str.=substr($chars,Mt_rand(0,strlen($chars)-1), 1); }          return $str; }     }

Specifically how to verify that I do not have to write, so we just have to AppID and Appsecret to the app front-end developers and tell him how to use the token is the only token valid only can be executed down so that security can be guaranteed

thinkphp Communication Security Authentication during the development of the app interface