Home>Article>Backend Development> PHP development api interface security verification
php’s api interface
In actual work, it is common to use PHP to write api interfaces. After PHP writes the interface, the front desk can obtain the data provided by the interface through the link. , and the returned data is generally divided into two situations, xml and json. In this process, the server does not know the source of the request. It may be that someone else illegally calls our interface to obtain data, so it is necessary to use security verify.
Verification principle
Schematic diagram
##Principle
It can be clearly seen from the picture that if the front desk wants to call the interface, it needs to use several parameters to generate a signature. ● Timestamp: current time ● Random number: randomly generated random number ● Password: During front-end and back-end development, an identifier known to both parties, equivalent to Password ● Algorithm rules: Agreed operation rules, the above three parameters can use the algorithm rules to generate a signature. The frontend generates a signature. When accessing the interface is required, the timestamp, random number, and signature are passed to the backend through the URL. After getting the timestamp and random number in the background, it calculates the signature through the same algorithm rules, and then compares it with the passed signature. If it is the same, the data is returned.Algorithm rules
In the front-end and back-end interactions, algorithm rules are very important. Both front-end and back-end must calculate signatures through algorithm rules. As for how to formulate the rules, see Come as you please. My algorithm rules are ● Timestamp, random number, password are sorted in case order of the first letter ● Then spliced into a string ● Perform sha1 encryption ● Then perform MD5 encryption ● Convert to uppercase.Front desk
I don’t have an actual front desk here. I directly use a PHP file instead of the front desk, and then simulate a GET request through CURL. I am using the TP framework and the URL format is pathinfo format.Source code
createNonceStr(); //生成签名 $signature = $this -> arithmetic($timeStamp,$randomStr); //url地址 $url = "http://www.apitest.com/Server/Server/respond/t/{$timeStamp}/r/{$randomStr}/s/{$signature}"; $result = $this -> httpGet($url); dump($result); } //curl模拟get请求。 private function httpGet($url){ $curl = curl_init(); //需要请求的是哪个地址 curl_setopt($curl,CURLOPT_URL,$url); //表示把请求的数据已文件流的方式输出到变量中 curl_setopt($curl,CURLOPT_RETURNTRANSFER,1); $result = curl_exec($curl); curl_close($curl); return $result; } //随机生成字符串 private function createNonceStr($length = 8) { $chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"; $str = ""; for ($i = 0; $i < $length; $i++) { $str .= substr($chars, mt_rand(0, strlen($chars) - 1), 1); } return "z".$str; } /** * @param $timeStamp 时间戳 * @param $randomStr 随机字符串 * @return string 返回签名 */ private function arithmetic($timeStamp,$randomStr){ $arr['timeStamp'] = $timeStamp; $arr['randomStr'] = $randomStr; $arr['token'] = self::TOKEN; //按照首字母大小写顺序排序 sort($arr,SORT_STRING); //拼接成字符串 $str = implode($arr); //进行加密 $signature = sha1($str); $signature = md5($signature); //转换成大写 $signature = strtoupper($signature); return $signature; } }
Server side
Accept foreground data for verificationSource Code
arithmetic($timeStamp,$randomStr); if($str != $signature){ echo "-1"; exit; } //模拟数据 $arr['name'] = 'api'; $arr['age'] = 15; $arr['address'] = 'zz'; $arr['ip'] = "192.168.0.1"; echo json_encode($arr); } /** * @param $timeStamp 时间戳 * @param $randomStr 随机字符串 * @return string 返回签名 */ public function arithmetic($timeStamp,$randomStr){ $arr['timeStamp'] = $timeStamp; $arr['randomStr'] = $randomStr; $arr['token'] = self::TOKEN; //按照首字母大小写顺序排序 sort($arr,SORT_STRING); //拼接成字符串 $str = implode($arr); //进行加密 $signature = sha1($str); $signature = md5($signature); //转换成大写 $signature = strtoupper($signature); return $signature; } }
Result
string(57) "{"name":"api","age":15,"address":"zz","ip":"192.168.0.1"}"
Summary
This method is just one of the methods. In fact, it is also There are many ways to perform security verification. For more PHP related knowledge, please visitPHP Tutorial!
The above is the detailed content of PHP development api interface security verification. For more information, please follow other related articles on the PHP Chinese website!