Mobile Terminal and PHP server interface communication process design Enhanced Edition

: This article mainly introduces the enhanced version of the communication process design between the mobile terminal and the PHP server interface. if you are interested in the PHP Tutorial, refer to it. As mentioned earlier: design of communication process between mobile and PHP Server interfaces (Basic edition)

The security of api_token can be further enhanced:

Enhancement area 1:

Add two more tables, one interface table and one authorization table. the design reference is as follows:

Interface table

Field name	Field type	Note
Api_id	Int	Interface ID
Api_name	Varchar (120)	Interface name, with "/" as the split line, such as blog/Index/addBlog
Api_domain	Varchar (256)	Field
Is_enabled	Tinyint (1)	Availability 1: Available 0: Unavailable
Add_time	Int	Add timestamp)

(Note: Only the core fields are listed. extend other fields !!!)

Authorization table

Field name	Field type	Note
Client_id	Int	Client ID
Api_id	Int	Api ID
Api_name	Varchar (120)	Interface name, with "/" as the split line, such as blog/Index/addBlog
Is_enabled	Tinyint (1)	Availability 1: Available 0: Unavailable
Add_time	Int	Add timestamp)
Expire_time	Int	Expiration Time (stamp)

(Note: Only the core fields are listed. extend other fields !!!)

The execution process is as follows:

1. compare the api_token generated by the mobile terminal and the server. if the token is not the same, an error is returned. Otherwise, the next step is taken;

2. assemble api_name based on the interface URL, and add the client_id returned by the client as the parameter to search for the "authorization table" record. if the record exists and is valid (whether it is available or expired ), indicates that the permission verification is passed and interface data is returned; otherwise, error information is returned;

Enhancement 2:

I don't know what special interfaces are and what special interfaces are. In short, I feel that the http request may be hijacked and the passing parameters may be tampered, for example:

There is a direct transfer interface. on the page, I entered 5 yuan, indicating that I want to transfer 5 yuan to the other party. The result is that during the http transfer process, the account was stolen and tampered with as much as 10000 yuan, and the recorded object was changed to a "hacker" account. this is not a big loss. after thinking about it, there should be two solutions to solve this problem,

Solution 1: https is a widely accepted security mechanism;

Solution 2: use a digital signature. the implementation principle is as follows:

For an http request, if you need to pass the following three parameters

Parameter name 1 = parameter value 1

Parameter name 2 = parameter value 2

Parameter name 3 = parameter value 3

We can append another parameter named identity_key (the name is not important). The value of this parameter is the values of the first few parameters added in order and then the encrypted results.

That is:

Identity_key = md5 ('Parameter value: 1' + 'parameter value: 2' + 'parameter value: 3' + 'encryption key ');

Therefore, the final parameters passed include:

Parameter name 1 = parameter value 1

Parameter name 2 = parameter value 2

Parameter name 3 = parameter value 3

Client_id = client_id value

Identity_key = md5 ('Parameter value: 1' + 'parameter value: 2' + 'parameter value: 3' + 'Client _ id' + 'encryption key ')

After receiving the parameters, the server regenerates an identity_key according to the same encryption rules. The identity_key of the server and the identity_key of the client are proofread. if they are not the same, the server is tampered with. how can I perform the following operations, do it yourself!

The above introduces the enhanced version of the communication process design between the mobile terminal and the PHP server interface, including some content, and hopes to help those who are interested in the PHP Tutorial.