PHP server side uses API principle analysis

This time I will bring you an analysis of the principles of using API on the PHP server side. What are the precautions for using API on the PHP server side? The following is a practical case, let's take a look.

I believe everyone has done PHP request API interface to obtain data, such as Taobao API, WeChat public platform, weather query, express query, etc. Some of them need to refer to the interface document to construct a sign according to the signature algorithm, or set the token, and then send it through curl

POST request Bring parameters to get the return data, usually in json or xml format.

But now the situation is reversed. We need to develop the PHP server-side API interface, that is, when others request us, we verify the legitimacy of the request and return the query data.

This situation is actually used in mobile app development. Mobile APP applications often need to request the PHP interface to obtain data. However, this request generally does not need to be verified. Different URLs are requested according to different functions. Usually, parameters are passed in the get method to obtain directly. data.

This article briefly talks about the method of server-side verification of request legitimacy and the method of receiving parameters.

Simple get requestFor example: http://www.demo.com/api/get_cat?id=2, requesting this URL will return some data, no matter who uses whatProgramming languageEvery request can get data.

So this is obviously not possible when the legality needs to be verified. Therefore, a secret key is needed. At this time, POST is often used to request the url.

For example, there is a signature sign in the passed parameters, and the value is 98888. Of course, there are many ways to generate the sign and it cannot be so simple. I just write it casually here. Then the server receives the sign as 98888. If we agree that 98888 is legal, at this time You can verify that this is a legitimate request by judging whether the sign is 98888.

But this is too simple, it will be cracked all of a sudden, and setting this sign will be meaningless. Therefore, there must be a rule for generating sign. When requesting, the sign parameter is generated according to this rule. When the server receives it, it also generates sign according to this rule. If the generated signs are consistent, it indicates that this is a legal request. Each request will be accompanied by a sign for verification.

There is another kind of verification called token. The token is verified when making the first request. There is no need to verify again within a certain period of time. This requires two steps. The first step is to request the interface for obtaining the token and get the token. The second step is to request the function of the specific interface, and you need to bring the token to pass the parameters. Since the server first stores the token when requesting the token for the first time and then returns it, subsequent requests can verify whether the passed token exists.

Many interface developers use both methods to ensure privacy and security.

Another point is that PHP's CURL module is often used to send POST requests. For example, the other party sends a POST request through curl, curl_setopt($ch, CURLOPT_POSTFIELDS, $post_string), here is $post_string better to pass in PHP array, or in json format?

If the PHP array is passed, I get the parameters directly with $_POST['xx']. If it is passed in json format, I seem to use

file_get_contents('php://input', ' r') Get the passed json data, and then parse the json to get the parameters.

Under what circumstances should the second option be used?

This question was asked online before, let’s see how everyone responded:

For PHP, the difference between JSON and array is sometimes just a line of code. If I write, I may just use the first one.

I think if you want your code to be more concise, you can use the second one. I remember Weixin’s PHP sdk seems to be similar to the second one (of course it is in XML format)

Also, if the other party uses

Object-oriented to directly serialize json, using json will make his code more concise.

The first method, is to transmit the form form POST protocol. PHP will convert the PHP array into the HTTP form format, which is universal across languages, but this is not a mainstream API. protocol, but more like simulating a form submission.

Most API protocols will use JSON POST. The second method is to put JSON data in the HTTP Body. Also cross-language, but more user-friendly as an API. The first method is to use PHP curl directly. If the data content is not processed well and content like @/xxx/xxx is passed in the array value, curl will transfer the local file on the server. Please pay attention to precautions.

x-www-form-urlencoded is an RFC standard, there is nothing incompatible, it is not only cross-language, but also across time and space. JSON was developed in recent years. It is not a standard, it is just for convenience.

I believe you have mastered the method after reading the case in this article. For more exciting information, please pay attention to other related articles on the php Chinese website!

Recommended reading:

Anaconda’s Beginner’s Guide

Python’s Environment Configuration Analysis

The above is the detailed content of PHP server side uses API principle analysis. For more information, please follow other related articles on the PHP Chinese website!