WeChat public platform Message Interface development (2) enable interface 2

This system tutorial uses the weather god account WeatherGod on the public platform, and supports the weather name and pinyin of nearly 400 cities in China.

This system tutorial takes the weather god account WeatherGod on the public platform as an example. it supports query of weather names, pinyin, area codes, zip codes, and voice trigger modes in nearly 400 cities in China, describes the interface development process. You are welcome to follow this account and use voice to query the local weather. for the QR code, see the bottom.

This article is the next part of the public platform Message Interface development (1) enabling interfaces

3. the server does not respond to the Token verification solution

1. technical analysis

This time, we added the tracking http record method in the code to check whether our server received the request and did not respond.
You can call the system environment variable $ _ SERVER to view the HTTP request information.

$ _ SERVER ["REMOTE_ADDR"] // record the visitor's IP address. we record whether the SERVER has accessed $ _ SERVER ["QUERY_STRING"] // query the request string

Add it to the code above and write it into the local file. all the code is as follows:

 Valid (); class wechatCallbackapiTest {public function valid () {$ echoStr = $ _ GET ["echostr"]; // random string if ($ this-> checkSignature ()) {echo $ echoStr; exit ;}} private function checkSignature () {$ signature =$ _ GET ["signature"]; // encrypted signature $ timestamp = $ _ GET ["timestamp"]; // timestamp $ nonce = $ _ GET ["nonce"]; // random number $ token = TOKEN; $ tmpArr = array ($ token, $ timestamp, $ nonce); sort ($ tmpArr); // if (sha1 (I Mplode ($ tmpArr) ==$ signature) {return true;} else {return false ;}} function traceHttp () {logger (""); logger ("REMOTE_ADDR: ". $ _ SERVER ["REMOTE_ADDR"]. (strpos ($ _ SERVER ["REMOTE_ADDR"], "101.226 "))? "From WeiXin": "Unknown IP"); logger ("QUERY_STRING :". $ _ SERVER ["QUERY_STRING"]);} function logger ($ content) {file_put_contents ("log.html", date ('Y-m-d H: I: s '). $ content."
", FILE_APPEND) ;}?>

In this case, a log.html file is generated in the current directory.
Open the entered url in a browser and write the file once.

Open the URL extension log.html path directly with a browser. my records are as follows:

2013-01-30 10:15:18 2013-01-30 10:15:18 REMOTE_ADDR:212.179.24.103 Unknown IP2013-01-30 10:15:18 QUERY_STRING:

Click submit in and then generate the record as follows:

2013-01-30 10:15:49 2013-01-30 10:15:49 REMOTE_ADDR:101.226.89.83 From WeiXin2013-01-30 10:15:49 QUERY_STRING:signature=eded789463180edf6c13691398d0cb4c85fb0e23&echostr=5838479218127813673×tamp=1359100969&nonce=1359376876

From the above, we can see that this IP address comes from 101.226.89.83. Yes, I added this IP address to the code and checked it by myself.
In addition, the query request is the same as described in the official guide, so you can confirm that the message is submitted to the server. The submission should be successful. If it fails, the reason is your own side.

2. universal success

If you haven't submitted the preceding White method successfully, and you have been tossing the interface for enabling it for N times, so you are disheartened and intend to exit interface development, you must take a look at the following omnipotent method.
Let's take a look at the source code for verification.

$ WechatObj = new wechatCallbackapiTest (); $ wechatObj-> valid (); class wechatCallbackapiTest {public function valid () {$ echoStr = $ _ GET ["echostr"]; // random string if ($ this-> checkSignature () {echo $ echoStr; exit ;}}

Actually, call the valid () function to check the signature in the valid () function. if the signature is successful, the response is echoStr.
What if we skip this signature ......

    public function valid()    { $echoStr = $_GET["echostr"]; if(true){ echo $echoStr; exit;        }    }

After the test, the submission is successful. The proof is also feasible. But ....
It seems that there is a large vulnerability behind this vulnerability, which may be infinite !!!

Address: http://www.cnblogs.com/txw1958/archive/2013/01/31/weixin-if2-enable.html

Bytes ---------------------------------------------------------------------------------------------------------

FollowWeather God(Account WeatherGod) method:

1. enter the following paths in sequence:Friends> Add friends->Search number, InputWeatherGod, Case insensitive. clickSearchAnd then clickFollow.