Detailed explanation of PHP server-side API and interface development

This time I will bring you a detailed explanation of PHP server-side API and interface development. What are the precautions for PHP server-side API and interface development? The following is a practical case, let's take a look.

I believe everyone has done PHP request API interface to obtain data, such as Taobao API, WeChat public platform, weather query, express query, etc. Some need to refer to the interface document to construct a sign (signature) according to the signature algorithm, or set token, and then send a POST request through curl with parameters to obtain the return data, usually in json or xml format.

But now the situation is reversed. We need to develop the PHP server-side API interface, that is, when others request us, we verify the legitimacy of the request and return the query data.

This situation is actually used in mobile app development. Mobile APP applications often need to request the PHP interface to obtain data, but this request generally does not need to be verified. Different URLs are requested according to different functions, usually Pass parameters in get mode to obtain data directly.

This article briefly talks about the server-side method of verifying the legitimacy of the request and the method of receiving parameters.

Simple get requestFor example: http://www.demo.com/api/get_cat?id=2, requesting this URL will return some data, No matter who uses what programming language the request can get the data.

Then this is obviously not possible when the legality needs to be verified. Therefore, a secret key is needed. At this time, POST is often used to request the url.

For example, there is a signature sign in the passed parameters, and the value is 98888. Of course, there are many ways to generate the sign and it cannot be so simple. I just write it casually here. Then the sign received by the server is 98888. If we agree on 98888 It is legal. At this time, you can verify that this is a legal request by judging whether the sign is 98888.

But this is too simple, it will be cracked all at once, and setting this sign will be meaningless. Therefore, there must be a rule for generating sign. When requesting, the sign parameter is generated according to this rule. When the server receives it, it also generates sign according to this rule. If the generated signs are consistent, it indicates that this is a legal request. Each request will be accompanied by a sign for verification.

There is another kind of verification called token. The token is verified when making the first request. There is no need to verify again within a certain period of time. This requires two steps. The first step is to request the interface for obtaining the token and get the token. The second step is to request the function of the specific interface, and you need to bring the token to pass the parameters. Since the server first stores the token when requesting the token for the first time and then returns it, subsequent requests can verify whether the passed token exists.

Many interface developments use both methods to ensure privacy and security.

Another point is that PHP's CURL module is often used to send POST requests. For example, the other party sends a POST request through curl, curl_setopt($ch, CURLOPT_POSTFIELDS, $post_string), where $post_string is a good way to pass a PHP array. Or is it in json format?

If the PHP array is passed, I will get the parameters directly via $_POST['xx']. If the json format is passed, I seem to have to use file_get_contents('php: //input', 'r') gets the passed json data, and then parses the json to get the parameters.

When should I use the second option?

This has been asked online before, let’s see how everyone answers:

For PHP, JSON and arrays Sometimes the difference is really just a line of code. If I write it, I may just use the first one.

I think if you want your code to be more concise, you can use the second one. I remember that Weixin's php sdk seems to be similar to the second one (of course it is in xml format)

And if the other party If you use Object-oriented directly serialized json, using json will make his code more concise.

The first method, is to transmit the form form POST protocol, PHP will convert the PHP array into the HTTP form format, which is universal across languages, but this This is not a mainstream API protocol, but more like a simulated submission form.

Most API protocols will use JSON POST. The second method is to put JSON data in the HTTP Body. Also cross-language, but more user-friendly as an API. The first method is to directly PHP curl. If the data content is not processed well and content like @/xxx/xxx is passed in the array value, curl will transfer the local file on the server. Please pay attention to precautions.

x-www-form-urlencoded is an RFC standard, there is nothing incompatible, it is not only cross-language, but also across time and space. JSON was developed in recent years. It is not a standard, it is just for convenience.

I believe you have mastered the method after reading the case in this article. For more exciting information, please pay attention to other related articles on the php Chinese website!

Recommended reading:

Detailed explanation of the use of PHP callback functions and anonymous functions

phpstudy2018 access directory service permissions

ThinkPHP implements WeChat payment (jsapi payment) process tutorial detailed explanation_php example

The above is the detailed content of Detailed explanation of PHP server-side API and interface development. For more information, please follow other related articles on the PHP Chinese website!