use PHP to do Server interface client with HTTP protocol post access security generally how to do
My problem is, if you do not do security-related processing, some may change the database operation may encounter garbage data submission, after all, to find this information just to find an HTTP packet.
System no User Login
Novice issues (never done server-side development), if possible, give links to several mainstream methods, thanks
Visual Summary Method Two:
1. The request head with the user username and password, to the server side to do the verification, through before continuing the business logic below.
A bit: Prevents the server-side API from being called arbitrarily.
Disadvantage: Each time the user name and password, interactive volume, and password plaintext transmission is not secure.
2. First request, request username and password, verify pass, type cookie to client, app save cookie value.
Bring a cookie on each request.
Comments: The same principle as the browser authentication on the PC.
The above two points, only registered users, to have access to business logic, and the app has a large number of do not need to register the data API
3. Develop a token generation rule that generates a random string based on common properties owned by some server side and client, the client generates the string, and the server receives the request and verifies the string.
Cons: Random string generation rules should be kept secret.
For example: a project using PHP framework, the framework each interaction will have module and action two parameters to do the route, so I can use the following rule to generate tokens
App to request user list, API is "Index.php?module=user&action=list"
App generates token = md5sum (' user '. 2012-11-28 '. ' #$@%!'. list) = 880fed4ca2aabd20ae9a5dd774711de2;
The actual originating request is "Index.php?module=user&action=list&token=880fed4ca2aabd20ae9a5dd774711de2"
The server receives a request to compute tokens in the same way,
<?php
$module = $_get[' module ');
$action = $_get[' action '];
$token = Md5sum ($module. Date (' y-m-d ', Time ()). ' #$@%!* '. $action);
if ($token! = $_get[' token ') {
alarm (' access deny ');
Exit ();
}
? >
Mention these three first, all used in the project.