This article brings you the content is about PHP interface security: PHP interface Encryption Four programs, there is a certain reference value, the need for friends can refer to, I hope to help you.
As an Internet coder, whether you are front-end or back-end you have to have a certain understanding of HTTP requests, know the HTTP features, to understand the HTTP inside the request and response is what, know why the site will exist cookie,session, The meaning and necessity of verification code. Because exploring the security of the app interface is about the security of the HTTP request.
Generally on the PC side, we use the encrypted cookie to make the member's identification and maintain the session, but the cookie is the local storage function belonging to the browser. The app is not available, so we have to identify members by token parameters, and how does this token handle it?
First of all, let's talk about the four scenarios I experienced before doing this interface encryption:
Programme I
With the app-side developers to contract the specific MD5 combination algorithm, and then the two sides, if the same allow, not the same as deny;
However, this is also unsafe, if the app is decompile, these conventions will be exposed to algorithms, especially in the Android app, there is an algorithm, completely can simulate the interface request through authentication;
Programme II
The password of the database Membership table is a MD5 value with random and double encryption; When the user logs in, I return to the member corresponding UID and Password,password although is clear, others know also can't login, after all, is encrypted, Then each time the interface request user_id=333&token=aa37e10c7137ac849eab8a2d5020568f
, through the primary key UID can quickly find the current UID corresponding token, and then to compare;
But the idea is too Yang too simple, the person who grabbed the bag, although not through the cipher password to login to the member, but once the token is known, unless the user changes the password, otherwise you can always use this token to operate the member's relevant interface;
Programme III
Through the symmetric encryption algorithm, the encryption algorithm is used for time-lapse uid+网站公钥
encryption, which is available in certain limitation period. When the member login is successful, the server side returns to the client after encrypting the ID, and the client takes this parameter each time the interface is requested, and the server side decrypts the authentication;
But it is not safe to do so. Because, anti-outside, I heard that this time Ctrip is due to internal staff of the malicious operation. If the internal malicious personnel know the corresponding algorithm rules, even if there is no database permissions, you can also use the interface to operate the relevant members;
Programme IV
Members log in when the request login interface, and then the server back to the client a token, the token generated by the rule is 网站公钥 + 当前uid + 当前时间戳 + 一段随机数
double encryption, according to the needs of the decision is to put the token into the cache for a period of time to automatically expire, or put into the database (if you want to put in the database, Take out a single table, by the way, log the user's login, log out time, change when the user logs out, to ensure that the token can only be useful for users to log out.
For security, should be guaranteed to allow users to automatically exit for a period of time; this scheme with Linux and database Rights management can be anti-external and anti-inside;
Considerations for other interface development
the
-
Data format is best used in JSON format data because JSON has a good cross-platform nature. When generating JSON, pay attention to the two formats of JSON: Objects (dictionaries) and arrays; in the mobile development language, there is no php-like foreach that can traverse an object, only iterate over an array, and the object's operations are usually keyed by key names.
-
Whether it is a success or failure. The interface must provide explicit data state information and cannot return NULL if NULL is returned and will be collapsed on the iOS side.