Examples of api security verification for PHP development and api instances

Examples of api security verification for PHP development and api instances

Php api

In practice, PHP is often used to write api interfaces. After PHP writes an interface, the foreground can obtain the data provided by the interface through the link. The returned data is generally divided into two situations, xml and json. In this process, the server does not know what the request source is. It is possible that someone else illegally calls our interface to obtain data. Therefore, security verification is required.

Verification Principle

Principle

You can see clearly that the front-end needs to use several parameters to generate a signature to call an interface.

Timestamp: Current Time

Random Number: Random Number generated randomly

Password: an identifier that is known to both parties during frontend and backend development.

Algorithm rules: Agreed calculation rules. The preceding three parameters can be used to generate a signature.

The front-end generates a signature. When an access interface is required, the timestamp, random number, and signature are transmitted to the backend through the URL. The backend obtains the timestamp. After the random number is obtained, the signature is calculated using the same algorithm rules, and then compared with the passed signature. If the same, the data is returned.

Algorithm rules

In frontend and backend interactions, algorithm rules are very important. Both the backend and backend servers use algorithm rules to calculate signatures. How to create rules depends on how happy you are.

My algorithm rule is

1. The timestamp, random number, and password are sorted in the uppercase/lowercase order.

2. Then splice the string

3. Perform sha1 Encryption

4. Then perform MD5 encryption.

5. Convert to uppercase.

Front-end

Here I don't have a real front-end. I directly use a PHP file to replace the front-end, and then use CURL to simulate GET requests. I am using the TP framework, and the URL format is pathinfo.

Source code

<? Php/*** Created by PhpStorm. * User: Administrator * Date: 0016 * Time: */namespace Client \ Controller; use Think \ Controller; class ClientController extends Controller {const TOKEN = 'api '; // simulate the front-end request Server api interface public function getDataFromServer () {// timeStamp $ timeStamp = time (); // random number $ randomStr = $ this-> createNonceStr (); // generate the signature $ signature = $ this-> arithmetic ($ timeStamp, $ randomStr); // url location Url $ url = "url}"; $ result = $ this-> httpGet ($ url); dump ($ result) ;}// curl simulates get requests. Private function httpGet ($ url) {$ curl = curl_init (); // address of the Request curl_setopt ($ curl, CURLOPT_URL, $ url ); // output the requested data in the form of a file stream to the variable curl_setopt ($ curl, CURLOPT_RETURNTRANSFER, 1); $ result = curl_exec ($ curl ); curl_close ($ curl); return $ result;} // randomly generated private function createNonceStr ($ length = 8) {$ chars = "Hangzhou"; $ str = ""; for ($ I = 0; $ I <$ length; $ I ++) {$ str. = substr ($ chars, mt_rand (0, strlen ($ chars)-1), 1);} return "z ". $ str;}/*** @ param $ timeStamp * @ param $ randomStr random string * @ return string return signature */private function arithmetic ($ timeStamp, $ randomStr) {$ arr ['timestamp'] = $ timeStamp; $ arr ['randomstr'] = $ randomStr; $ arr ['Token'] = self: token; // sort ($ arr, SORT_STRING) in the upper and lower case order of the first letter; // splice it into a string $ str = implode ($ arr ); // encrypt $ signature = sha1 ($ str); $ signature = md5 ($ signature); // convert it to uppercase $ signature = strtoupper ($ signature ); return $ signature ;}}

Server

Accept front-end data for verification

Source code

<? Php/*** Created by PhpStorm. * User: Administrator * Date: 0016 * Time: */namespace Server \ Controller; use Think \ Controller; class ServerController extends Controller {const TOKEN = 'api '; // response to the front-end request public function respond () {// authenticate the identity $ timeStamp =$ _ GET ['T']; $ randomStr =$ _ GET ['R']; $ signature =$ _ GET ['s ']; $ str = $ this-> arithmetic ($ timeStamp, $ randomStr); if ($ str! = $ Signature) {echo "-1"; exit;} // simulate data $ arr ['name'] = 'API'; $ arr ['age'] = 15; $ arr ['address'] = 'zz '; $ arr ['IP'] = "192.168.0.1"; echo json_encode ($ arr );} /*** @ param $ timeStamp * @ param $ randomStr random string * @ return string returns the signature */public function arithmetic ($ timeStamp, $ randomStr) {$ arr ['timestamp'] = $ timeStamp; $ arr ['randomstr'] = $ randomStr; $ arr ['Token'] = self: token; // sort ($ arr, SORT_STRING) in the upper and lower case order of the first letter; // splice it into a string $ str = implode ($ arr ); // encrypt $ signature = sha1 ($ str); $ signature = md5 ($ signature); // convert it to uppercase $ signature = strtoupper ($ signature ); return $ signature ;}}

Result

string(57) "{"name":"api","age":15,"address":"zz","ip":"192.168.0.1"}"

Summary

This method is only one of the methods. In fact, many methods can be used for security verification.

The above example of api security verification for PHP development is all the content that I have shared with you. I hope to give you a reference and support for the customer's house.