Active and Passive in PHP Language Process Control_PHP Tutorial

Over the past year, most PHPers have been working hard on projects such as Taobao revision, cloud computing, Tencent open platform, and online games. These works are indispensable for PHPers. I believe that the PHP language can continue to lead the industry for 10 years. We look forward to the next 50 and 100 years. , PHP is still so powerful. We are all a small group of people. Apart from knowing PHP, we are not good at anything else and it is difficult to make a living. Let’s all work hard.

What is active and passive. Let’s give an example. When you go to your boss's office to ask for a salary increase, this is taking the initiative. Whether from your own perspective or from the boss's perspective, you are proactive and optimistic. If the boss asks you to go to the office, and then let him You structure Taobao and give you a 20% salary increase. This is called passive. I believe you will be passive if you promise. Active and passive are simply understood in this way. And we will also encounter such embarrassing active and passive issues in the program process. We See the example.

A clier
When buy qq successfully purchases the goods, notify the QQ main server. Through the http protocol.
file_get_contents('http://www.qq.com/api.php ?add_saleinfo=buy_qq&orderid=12345&pay=888&email=a@qq.com');

The code runs on buy.qq.com, which is understood to be safe, but what is the reality? If someone distributes this interface, the consequences will be immeasurable. Everyone can forge order information and implant it into qq.com. No matter how you restrict the source and check the data. Taking a step back, the person who wrote the code is the most dangerous. Then everyone will ask , since the person who writes the code has great authority, how can it be prevented? This needs to be changed from passive (qq.com) to active. http://www.qq.com/api.php?add_saleinfo=buy_qq Change to no Then receive any order information. It is the token value. After receiving the token value, the interface calls back the query interface of buy.qq, and then stores it in the database. Ordinary users can no longer create token values, even if they know the query interface of buy.qq , and it is impossible to affect qq.com. As the main body, qq.com is basically proactive. It will not be chaotic at all times, but actively analyze and think about warehousing.

The same principle is true, and Taobao players also have it This problem. For example, some browsers that have been exposed in the past modify the pid value in the web page, causing heavy losses to users. This is a passive result. PHP is written like this, PHP requests the Taobao API interface, receives product information, and there are products in it Purchase link, it is this purchase link that makes the webmaster passive. Users who directly href this link on the page may be collected by others and have their pid modified by the browser. Next, you know, pid represents money. Later, someone thought about this problem and took a proactive approach to prevent bugs. That is, the product link was not displayed directly, but modified through a php. The URL that users saw was similar to: www.qq.com/tao/ buy.php?sid=aaaa333 sid is definitely not the pid value. All work is carried out by buy.php, which actively undertakes analysis and security detection work.

QQ Internet 2.0 has been widely used on Internet sites. How does graph.qq.com, which focuses on user data, ensure user security? It must also improve security while ensuring access speed. The current QQ login process is as follows: first, the appid appkey callbackurl is combined into a string of links, and then jumps to qq .com. This is why many sites can jump to the qq login page by directly accessing qqlogin.php, because the parameters are fixed and the security is pretty good. The login process is still at qq.com, which is what phper often talks about Single sign-on. After successful login, it will jump directly to the callbackurl page. The information obtained by callbackurl at this time is still not enough to prove that the user has successfully logged in. It only got the token value, so enter the second step and use the token value to go to the qq api interface. Query the user's openid online and complete the login. In this way, QQ has to take the initiative. The query result is not simply whether it is successful or not, but the corresponding parameters and prompt information. No matter how it is added later, it will be compatible. Tencent has the initiative, and this It is very important for companies with hundreds of millions of users. Internal security also includes determining the correspondence between domain names and appids, token expiration checks, and IP restrictions. From a technical perspective, Tencent has it.

There are many examples of this. PayPal and Alipay are all similar.

http://www.bkjia.com/PHPjc/326143.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/326143.htmlTechArticleOver the past year, the majority of phpers have been working hard, such as Taobao revision, cloud computing, Tencent open platform, online games , these works are indispensable for the contribution of phper. I believe that the php language can continue to lead the industry...