PHP Development API Interface Security verification steps detailed

This time for you to bring the PHP Development API interface Security verification steps, PHP Development API Interface Security verification considerations, the following is the actual case, together to see.

API Interface for PHP

In the actual work, the use of PHP to write API interface is often done, PHP written interface, the front desk can be linked to get the data provided by the interface, and the returned data is generally divided into two cases, XML and JSON, in this process, the server does not know, the source of the request is what, It's possible that someone else illegally calls our interface to get the data, so we need to use security authentication.

Verification principle

Principle

It can be seen clearly that the foreground wants to invoke the interface and needs to use several parameters to generate the signature.

Timestamp: Current Time

Random numbers: Randomly generated random numbers

Password: Before the background development, a mutual know the identity, equivalent to the password

Algorithm rules: Agreed good operation rules, the above three parameters can be used to generate a signature algorithm rules.

The foreground generates a signature that, when required to access the interface, passes the timestamp, random number, and the signature through the URL to the background. The background gets the timestamp, after the random number, computes the signature by the same algorithm rule, then compares with the signature which passes over, the same words, returns the data.

Algorithm rules

In front of the background interaction, the algorithm rules are very important, the front and back of the table through the algorithm rules to calculate the signature, as to how the rules are formulated, see how happy you come.

My algorithm rule is

1 timestamp, random number, password sorted by first letter case

2 then stitch into a string

3 for SHA1 encryption

4 Re-MD5 encryption

5 Convert to uppercase.

Front desk

I don't have a real front desk here, just use a PHP file instead of the foreground, and then simulate get requests via curl. I am using the TP framework, the URL format is pathinfo format.

Source

<?php/** * Created by Phpstorm. * User:administrator * DATE:2017/3/16 0016 * time:15:56 */namespace client\controller;use Think\Controller;class Client Controller extends controller{const TOKEN = ' API ';//analog foreground Request Server API interface Public Function Getdatafromserver () {//timestamp $timeSta  MP = time ();  Random number $randomStr = $this-Createnoncestr ();  Generate Signature $signature = $this-Arithmetic ($timeStamp, $randomStr);  URL address $url = "http://www.apitest.com/server/server/respond/t/{$timeStamp}/r/{$randomStr}/s/{$signature}";  $result = $this-HttpGet ($url); Dump ($result); }//curl simulates a GET request.  Private Function HttpGet ($url) {$curl = Curl_init ();  which address curl_setopt ($curl, Curlopt_url, $url) needs to be requested;  Represents the output of the requested data to a variable in a file stream curl_setopt ($curl, curlopt_returntransfer,1);  $result = curl_exec ($curl);  Curl_close ($curl); return $result; }//Randomly generated string private function createnoncestr ($length = 8) {$chars = "abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxy  Z0123456789 ";  $str = ""; for ($i = 0; $i< $length;  $i + +) {$str. = substr ($chars, Mt_rand (0, strlen ($chars)-1), 1); } return "Z". $str; }/** * @param $timeStamp timestamp * @param $randomStr random String * @return string return signature */Private function arithmetic ($timeStam  P, $randomStr) {$arr [' timeStamp '] = $timeStamp;  $arr [' randomstr '] = $randomStr;  $arr [' token '] = Self::token;  Sort by first letter case ($arr, sort_string);  Stitching into a string $str = Implode ($arr);  Encrypt $signature = SHA1 ($STR);  $signature = MD5 ($signature);  Convert to uppercase $signature = Strtoupper ($signature); return $signature; }}

Server-side

Accept foreground data for verification

Source

<?php/** * Created by Phpstorm. * User:administrator * DATE:2017/3/16 0016 * time:16:01 */namespace server\controller;use Think\Controller;class Server   Controller extends controller{const TOKEN = ' API ';//response Front request Public function respond () {//verify identity $timeStamp = $_get[' t '];  $RANDOMSTR = $_get[' R '];  $signature = $_get[' s '];  $str = Arithmetic ($timeStamp, $randomStr), $this   if ($str! = $signature) {echo "-1";  Exit  }//Analog data $arr [' name '] = ' API ';  $arr [' age '] = 15;  $arr [' address '] = ' zz ';  $arr [' IP '] = "192.168.0.1"; echo Json_encode ($arr); }/** * @param $timeStamp timestamp * @param $randomStr random String * @return string return signature */Public function arithmetic ($timeStamp  , $randomStr) {$arr [' timeStamp '] = $timeStamp;  $arr [' randomstr '] = $randomStr;  $arr [' token '] = Self::token;  Sort by first letter case ($arr, sort_string);  Stitching into a string $str = Implode ($arr);  Encrypt $signature = SHA1 ($STR);  $signature = MD5 ($signature);  Convert to uppercase $signature = Strtoupper ($signature); Return $signaturE }}

Results

String ("{") "{" "Name": "API", "Age": "Address": "ZZ", "IP": "192.168.0.1"} "

Believe that you have read the case of this article you have mastered the method, more exciting please pay attention to the PHP Chinese network other related articles!

Recommended reading:

PHP send JSON format string based on Curl detailed

thinkphp Framework User Information Query update and delete steps