HTML interacts with PHP with Ajax (Restful API)

Because the mobile side and the PC-side API are shared, you want to do this.
HTML interacts with PHP in the form of Ajax (Restful API).
1. How to ensure security?
2. What is there to pay attention to?
3. How can I prevent the request from being maxed out by others?

Or, what are the advantages and disadvantages compared to MVC?

Reply content:

Because the mobile side and the PC-side API are shared, you want to do this.
HTML interacts with PHP in the form of Ajax (Restful API).
1. How to ensure security?
2. What is there to pay attention to?
3. How can I prevent the request from being maxed out by others?

Or, what are the advantages and disadvantages compared to MVC?

1. Security
Web-related things, security is universal, and you do not have to solve the problem of the method.
For example, the input check, the normal check is two-step (browser, server), then for the API-style design, as a direct request, the server for incoming data need to be strictly verified.
Again, such as access rights. Although the API is directly exposed to access, it can provide additional required parameters as access control. The source and mode of the parameter depends on you.

2, what should pay attention to the place?
The problem is really too wide.

3. Blow Brush
In fact, this can be included in question 1.
If you pass in a key value as an extra parameter, limit the number of times that the key will be accessed. This is just a simple way to deal with it.
However, this approach does not work if a suspected CSRF attack is encountered.

In fact, any Web application can be captured by packet analysis, and then interpreted as a "pseudo-API" (non-specialized words), and then to make requests for results. Reptiles are basically the law.
So the point of attention needed is (in fact, the answer to question 2)
1. Security
Security policies for issues such as permissions on the system itself
Security guard from attack
2. Crawler
Anti-crawler-related technology.

Security issues: If your data level is high, use HTTPS.
Anti-brush: server-side Multi-IP throttling. Customer service side can use JS to do some encryption string. can also be put on the brush (but will be cracked, Google's passport is also doing so.) Only his JS algorithm is very difficult).

