Active and passive in PHP language process control

In the past year, the majority of PHPers have been working hard on projects such as Taobao revision, cloud computing, Tencent open platform, and online games. These works are indispensable for PHPers' contribution. I believe that the PHP language can continue to lead the industry for 10 years. We look forward to the next 50 years, 100 In 2016, PHP is still so powerful. We are all a small group of people. Except for knowing PHP, we are not good at anything else and it is difficult to make a living. Everyone, let’s work hard.

What is active and passive. Let’s give an example. You run The boss's office asks for a salary increase. This is initiative. Whether it is from your own perspective or the boss's perspective, you are proactive and optimistic. Suppose the boss asks you to go to the office and then asks you to use Taobao The structure is established and your salary is increased by 20%. This is called passive. I believe that you will be passive if you promise. Active and passive are simply understood in this way. And such embarrassing active and passive issues will also be encountered in the program. Let's look at an example.

A clier
When buy qq successfully purchases the goods, it notifies the QQ main server. Through the http protocol.
file_get_contents('http://www.qq.com/api.php?add_saleinfo=buy_qq&orderid=12345&pay=888&email=a@ qq.com');

The code runs on buy.qq.com, which is understood to be safe, but what about the reality? If someone distributes this interface, the consequences will be immeasurable. Anyone can forge order information and plant it. Go to qq.com. No matter how you restrict the source and check the data. Take 10,000 steps back. The person who writes the code is the most dangerous. Then everyone will ask, since it is the person who writes the code and has great authority, how to prevent it? Come on? This requires changing from passive (qq.com) to active. http://www.qq.com/api.php?add_saleinfo=buy_qq is modified to no longer receive any order information. Instead, it will receive token value. Receive token After the value is reached, the interface calls back the query interface of buy.qq, and then stores it in the database. Ordinary users can no longer create token values. Even if they know the query interface of buy.qq, they cannot affect qq.com. As the main body, qq.com Basically, it is proactive. It will not be chaotic at all times, but proactively analyze and think about warehousing.

The same principle is the same. Taobao players also have this problem. For example, some browsers that have been exposed in the past modify the pid value in the web page, so that Users suffered heavy losses. This is the result of being passive. PHP is written like this. PHP requests the Taobao API interface and receives the product information, which contains the product purchase link. It is this purchase link that makes the webmaster passive. On the page Users who directly href this link may be harvested and have their pid modified by the browser. Next, you know, pid represents money. Later, someone has thought of this problem and adopted a passive and proactive approach to prevent bugs. Generated. The product link is not displayed directly, but modified through a PHP. The URL that the user sees is similar to: www.qq.com/tao/buy.php?sid=aaaa333 The sid is definitely not the pid value, and all the work is done by buy. PHP is used to host it, and it proactively undertakes analysis and security testing.

QQ Internet 2.0 has been widely used on Internet sites. How does graph.qq.com, as the main center of user data, ensure user security? Under the premise of ensuring access speed Security must also be improved. The current process of QQ login is as follows: first, the appid appkey callbackurl is combined into a string of links, and then jumps to qq.com. This is why many sites can jump to the qq login page by directly accessing qqlogin.php, because These parameters are all fixed, and the security is pretty good. The login process is still at qq.com, which is the single sign-on that PHPer often talks about. After successful login, it will jump directly to the callbackurl page, and the information obtained by callbackurl at this time is still It is not enough to prove that the user logged in successfully. We only got the token value, so we go to the second step and use the token value to query the user's openid on the QQ API interface to complete the login. In this way, QQ has to take the initiative, and the query result is not simply a matter of success or failure. No, but the corresponding parameters and prompt information are compatible no matter how they are added later. Tencent has the initiative, which is very important for companies with hundreds of millions of users. Internal security also determines the correspondence between the domain name and the appid , token expiration check, IP restriction. From a technical perspective, Tencent has it.

There are many examples of this, including PayPal and Alipay, which are all similar.