Home>Article>PHP Framework> Let’s talk about TP’s security verification issues in the app interface development process
The followingthinkphpframework tutorial column will introduce to you the communication security authentication issues of Thinkphp in the app interface development process. I hope it will be helpful to friends in need!
For the interface we have written, if it can be accessed directly without security authentication, it will cause great security risks to our website. Some hackers may directly use your interface to operate the database, and the consequences will be irreversible. Estimate.
So how can we carry out effective security verification?
The access_token mechanism in WeChat development is used here, allowing the app front-end development engineer to obtain the token by submitting the appid and appsecert. The server caches the token for 7200 seconds. If the client directly requests the token every time Then the token will be reset every time;
Therefore, it is recommended that the client also caches. The client can determine whether the local token exists. If it exists, directly use the token as a parameter to access our api, and the server determines The validity of the token will be determined and the corresponding return will be given. If the token cached by the client is invalid, it will directly request the token again. The idea is roughly like this. The complete reference code is provided below. If there is a better method, you can also leave a message
show('','utf-8'); } public function test(){ if(!isset($_GET['token'])){ $this->apiReturn(4001,'invalid token'); }else if(!S($_GET['token'])){ $this->apiReturn(4001,'invalid token'); } $data = array( 'id'=>2, 'username'=>'明之暗夜', 'info'=>array('age'=>24,'address'=>'学府路','url'=>'http://cnblogs.com/dmm888') ); if($data){ $this->apiReturn(200,'读取用户信息成功',$data,xml); } } public function getToken(){ $ori_str = S($this->appid.'_'.$this->appsecret); //这里appid和appsecret我写固定了,实际是通过客户端获取 所以这里我们可以做很多 比如判断appid和appsecret有效性等 if($ori_str){ //重新获取就把以前的token删除 S($ori_str,null); } //这里是token产生的机制 您也可以自己定义 $nonce = $this->createNoncestr(32); $tmpArr = array($nonce,$this->appid,$this->appsecret); sort($tmpArr, SORT_STRING); $tmpStr = implode( $tmpArr ); $tmpStr = sha1( $tmpStr ); // echo $tmpStr; //这里做了缓存 'a'=>b 和'b'=>a格式的缓存 S($this->appid.'_'.$this->appsecret,$tmpStr,7200); S($tmpStr,$this->appid.'_'.$this->appsecret,7200); } /** * 作用:产生随机字符串,不长于32位 */ function createNoncestr( $length = 32 ) { $chars = "abcdefghijklmnopqrstuvwxyz0123456789"; $str =""; for ( $i = 0; $i < $length; $i++ ) { $str.= substr($chars, mt_rand(0, strlen($chars)-1), 1); } return $str; } }:)
欢迎使用 ThinkPHP!
[ 您现在访问的是Home模块的Index控制器 ]
I don’t need to write the specific verification method. In this way, we only need to give the appid and appsecret to the app front-end developer and tell him how to use it. The token is the only token. Only when the token is valid can it be executed downwards. Thus security can be guaranteed to a certain extent.
Recommended learning: "The latest 10 thinkphp video tutorials"
The above is the detailed content of Let’s talk about TP’s security verification issues in the app interface development process. For more information, please follow other related articles on the PHP Chinese website!