Write an API interface, want to audit before people can use, to achieve ideas, thank you
Source: Internet
Author: User
"Urgent" wrote an API interface, want to audit only let people can use, to achieve ideas, thank you
The interface is called $this->file_get_content ("Http://127.0.0.40/api.php?goods_id=XXXX");
The file for the interface is print_r some arrays
People who want to use my interface, I need to audit the domain name to use
I looked up some methods on the Internet, such as the following
$parse _url=parse_url ($_server[http_referer]);
$url _from= $parse _url[host];
This can be obtained from the source URL, but to click through the hyperlink, to get, file_get_content so good is not used
Please master, pointing under, sharing the next way of thinking, thank you!
qq:614944530
------Solution--------------------
Then you use the simplest login authentication, first pass the account password account password pass directly to give the result
------Solution--------------------
Verify that the IP bar Http_referer can be forged.
------Solution--------------------
File_get_content This is not very reliable, use curl or fsocketopen.
------Solution--------------------
Audit on the login, there is no other way, are engaged in it, to speak technical details, not superstition.
------Solution--------------------
discuss
Verify that the IP bar Http_referer can be forged.
------Solution--------------------
$this->file_get_content
If this is a method that executes on your server, then since you can execute it, you will naturally have permission
If this is the execution of his own code, which is your service. Do you provide the interface to others, and also say the daily permission?
------Solution--------------------
1. File_get_content can be added to the header, of course, can also add http_referer
2. Http_referer is unreliable
------Solution--------------------
Feel more convenient to use the account password
------Solution--------------------
First login information, call API
------Solution--------------------
Set a ip-ticket key-value pair, and then publish to the user, so that only from the specified IP, with the specified ticket to access the chant ...
Or learn Google, no limit, limit your daily visits ... Ha ha
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
