Implementation of API interface security verification function
This time I will bring you the implementation of the api interface security verification function. What are the precautions for implementing the api interface security verification function. The following is a practical case, let’s take a look.
php api interface
In actual work, it is common to use PHP to write api interfaces. After writing the interface in PHP, the front desk You can obtain the data provided by the interface through the link, and the returned data is generally divided into two situations, xml and json. In this process, the server does not know the source of the request. It may be that someone else illegally calls our interface. , to obtain data, therefore security verification must be used.
Verification principle
Schematic diagram
Principle
It can be clearly seen from the picture that if the front desk wants to call the interface, it needs to use several parameters to generate a signature.
Time stamp: Current time
Random number: Randomly generated random number
Password: During front-end and back-end development, an identifier known to both parties , which is equivalent to the secret code
Algorithm rules: The agreed operation rules, the above three parameters can use the algorithm rules to generate a signature.
The frontend generates a signature. When accessing the interface is required, the timestamp, random number, and signature are passed to the backend through the URL. After getting the timestamp and random number in the background, it calculates the signature through the same algorithm rules, and then compares it with the passed signature. If it is the same, the data is returned.
Algorithm Rules
In front-end and back-end interactions, algorithm rules are very important. Both front-end and back-end must calculate signatures through algorithm rules. As for how to set the rules, it depends on how you like it.
My algorithm rules are
1 The timestamp, random number, and password are sorted in case order of the first letter
2 and then spliced into a string
3 Perform sha1 encryption
4 Then perform MD5 encryption
5 Convert to uppercase.
Front desk
I don’t have an actual front desk here. I directly use a PHP file instead of the front desk, and then simulate a GET request through CURL. I am using the TP framework and the URL format is pathinfo format.
Source code
<?php /** * Created by PhpStorm. * User: Administrator * Date: 2017/3/16 0016 * Time: 15:56 */ namespace Client\Controller; use Think\Controller; class ClientController extends Controller{ const TOKEN = 'API'; //模拟前台请求服务器api接口 public function getDataFromServer(){ //时间戳 $timeStamp = time(); //随机数 $randomStr = $this -> createNonceStr(); //生成签名 $signature = $this -> arithmetic($timeStamp,$randomStr); //url地址 $url = "http://www.apitest.com/Server/Server/respond/t/{$timeStamp}/r/{$randomStr}/s/{$signature}"; $result = $this -> httpGet($url); dump($result); } //curl模拟get请求。 private function httpGet($url){ $curl = curl_init(); //需要请求的是哪个地址 curl_setopt($curl,CURLOPT_URL,$url); //表示把请求的数据已文件流的方式输出到变量中 curl_setopt($curl,CURLOPT_RETURNTRANSFER,1); $result = curl_exec($curl); curl_close($curl); return $result; } //随机生成字符串 private function createNonceStr($length = 8) { $chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"; $str = ""; for ($i = 0; $i <p style="text-align: left;"><span style="color: #ff0000"><strong>Server side</strong></span></p><p style="text-align: left;">Accept foreground data for verification</p><p style="text-align: left;"><strong>Source code</strong></p><pre class="brush:php;toolbar:false"><?php /** * Created by PhpStorm. * User: Administrator * Date: 2017/3/16 0016 * Time: 16:01 */ namespace Server\Controller; use Think\Controller; class ServerController extends Controller{ const TOKEN = 'API'; //响应前台的请求 public function respond(){ //验证身份 $timeStamp = $_GET['t']; $randomStr = $_GET['r']; $signature = $_GET['s']; $str = $this -> arithmetic($timeStamp,$randomStr); if($str != $signature){ echo "-1"; exit; } //模拟数据 $arr['name'] = 'api'; $arr['age'] = 15; $arr['address'] = 'zz'; $arr['ip'] = "192.168.0.1"; echo json_encode($arr); } /** * @param $timeStamp 时间戳 * @param $randomStr 随机字符串 * @return string 返回签名 */ public function arithmetic($timeStamp,$randomStr){ $arr['timeStamp'] = $timeStamp; $arr['randomStr'] = $randomStr; $arr['token'] = self::TOKEN; //按照首字母大小写顺序排序 sort($arr,SORT_STRING); //拼接成字符串 $str = implode($arr); //进行加密 $signature = sha1($str); $signature = md5($signature); //转换成大写 $signature = strtoupper($signature); return $signature; } }
Result
string(57) "{"name":"api","age":15,"address":"zz","ip":"192.168.0.1"}"
Summary
This method is just one of them. In fact, there are many methods that can be used for security verification.
I believe you have mastered the method after reading the case in this article. For more exciting information, please pay attention to other related articles on the php Chinese website!
Recommended reading:
Detailed explanation of the use of PHP callback functions and anonymous functions
Access directory service permissions of phpstudy2018
The above is the detailed content of Implementation of API interface security verification function. For more information, please follow other related articles on the PHP Chinese website!

PHP is a server-side scripting language used for dynamic web development and server-side applications. 1.PHP is an interpreted language that does not require compilation and is suitable for rapid development. 2. PHP code is embedded in HTML, making it easy to develop web pages. 3. PHP processes server-side logic, generates HTML output, and supports user interaction and data processing. 4. PHP can interact with the database, process form submission, and execute server-side tasks.

PHP has shaped the network over the past few decades and will continue to play an important role in web development. 1) PHP originated in 1994 and has become the first choice for developers due to its ease of use and seamless integration with MySQL. 2) Its core functions include generating dynamic content and integrating with the database, allowing the website to be updated in real time and displayed in personalized manner. 3) The wide application and ecosystem of PHP have driven its long-term impact, but it also faces version updates and security challenges. 4) Performance improvements in recent years, such as the release of PHP7, enable it to compete with modern languages. 5) In the future, PHP needs to deal with new challenges such as containerization and microservices, but its flexibility and active community make it adaptable.

The core benefits of PHP include ease of learning, strong web development support, rich libraries and frameworks, high performance and scalability, cross-platform compatibility, and cost-effectiveness. 1) Easy to learn and use, suitable for beginners; 2) Good integration with web servers and supports multiple databases; 3) Have powerful frameworks such as Laravel; 4) High performance can be achieved through optimization; 5) Support multiple operating systems; 6) Open source to reduce development costs.

PHP is not dead. 1) The PHP community actively solves performance and security issues, and PHP7.x improves performance. 2) PHP is suitable for modern web development and is widely used in large websites. 3) PHP is easy to learn and the server performs well, but the type system is not as strict as static languages. 4) PHP is still important in the fields of content management and e-commerce, and the ecosystem continues to evolve. 5) Optimize performance through OPcache and APC, and use OOP and design patterns to improve code quality.

PHP and Python have their own advantages and disadvantages, and the choice depends on the project requirements. 1) PHP is suitable for web development, easy to learn, rich community resources, but the syntax is not modern enough, and performance and security need to be paid attention to. 2) Python is suitable for data science and machine learning, with concise syntax and easy to learn, but there are bottlenecks in execution speed and memory management.

PHP is used to build dynamic websites, and its core functions include: 1. Generate dynamic content and generate web pages in real time by connecting with the database; 2. Process user interaction and form submissions, verify inputs and respond to operations; 3. Manage sessions and user authentication to provide a personalized experience; 4. Optimize performance and follow best practices to improve website efficiency and security.

PHP uses MySQLi and PDO extensions to interact in database operations and server-side logic processing, and processes server-side logic through functions such as session management. 1) Use MySQLi or PDO to connect to the database and execute SQL queries. 2) Handle HTTP requests and user status through session management and other functions. 3) Use transactions to ensure the atomicity of database operations. 4) Prevent SQL injection, use exception handling and closing connections for debugging. 5) Optimize performance through indexing and cache, write highly readable code and perform error handling.

Using preprocessing statements and PDO in PHP can effectively prevent SQL injection attacks. 1) Use PDO to connect to the database and set the error mode. 2) Create preprocessing statements through the prepare method and pass data using placeholders and execute methods. 3) Process query results and ensure the security and performance of the code.


Hot AI Tools

Undresser.AI Undress
AI-powered app for creating realistic nude photos

AI Clothes Remover
Online AI tool for removing clothes from photos.

Undress AI Tool
Undress images for free

Clothoff.io
AI clothes remover

AI Hentai Generator
Generate AI Hentai for free.

Hot Article

Hot Tools

DVWA
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is very vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, to help web developers better understand the process of securing web applications, and to help teachers/students teach/learn in a classroom environment Web application security. The goal of DVWA is to practice some of the most common web vulnerabilities through a simple and straightforward interface, with varying degrees of difficulty. Please note that this software

VSCode Windows 64-bit Download
A free and powerful IDE editor launched by Microsoft

SublimeText3 Linux new version
SublimeText3 Linux latest version

Atom editor mac version download
The most popular open source editor

SublimeText3 Chinese version
Chinese version, very easy to use