Let's talk about TP's security verification issues in the app interface development process-ThinkPHP-php.cn

Home

PHP Framework

ThinkPHP

Let's talk about TP's security verification issues in the app interface development process

藏色散人

Dec 28, 2021 pm 04:00 PM

thinkphp

The following thinkphp framework tutorial column will introduce to you the communication security authentication issues of Thinkphp in the app interface development process. I hope it will be helpful to friends in need!

For the interface we have written, if it can be accessed directly without security authentication, it will cause great security risks to our website. Some hackers may directly use your interface to operate the database, and the consequences will be irreversible. Estimate.

So how can we carry out effective security verification?

The access_token mechanism in WeChat development is used here, allowing the app front-end development engineer to obtain the token by submitting the appid and appsecert. The server caches the token for 7200 seconds. If the client directly requests the token every time Then the token will be reset every time;

Therefore, it is recommended that the client also caches. The client can determine whether the local token exists. If it exists, directly use the token as a parameter to access our api, and the server determines The validity of the token will be determined and the corresponding return will be given. If the token cached by the client is invalid, it will directly request the token again. The idea is roughly like this. The complete reference code is provided below. If there is a better method, you can also leave a message

<?php
namespace Home\Controller;
use Think\Controller;
class IndexController extends Controller {
    public $appid = &#39;dmm888&#39;;    
    public $appsecret = &#39;http://cnblogs.com/dmm888&#39;;
    
    public function index(){
        $this->show(&#39;<style type="text/css">*{ padding: 0; margin: 0; } div{ padding: 4px 48px;} body{ background: #fff; font-family: "微软雅黑"; color: #333;font-size:24px} h1{ font-size: 100px; font-weight: normal; margin-bottom: 12px; } p{ line-height: 1.8em; font-size: 36px }</style><div style="padding: 24px 48px;"> <h1 id="">:)</h1><p>欢迎使用 <b>ThinkPHP</b>！</p><br/>[ 您现在访问的是Home模块的Index控制器 ]</div><script type="text/javascript" src="http://tajs.qq.com/stats?sId=9347272" charset="UTF-8"></script>&#39;,&#39;utf-8&#39;);
    }
    public function  test(){
        if(!isset($_GET[&#39;token&#39;])){
            $this->apiReturn(4001,&#39;invalid token&#39;);
        }else if(!S($_GET[&#39;token&#39;])){            
            $this->apiReturn(4001,&#39;invalid token&#39;);
            
        }
 
        $data = array(
            &#39;id&#39;=>2,
            &#39;username&#39;=>&#39;明之暗夜&#39;,
            &#39;info&#39;=>array(&#39;age&#39;=>24,&#39;address&#39;=>&#39;学府路&#39;,&#39;url&#39;=>&#39;http://cnblogs.com/dmm888&#39;)
        );
        if($data){
            $this->apiReturn(200,&#39;读取用户信息成功&#39;,$data,xml);
        }
    }
    public function getToken(){
        $ori_str = S($this->appid.&#39;_&#39;.$this->appsecret);   //这里appid和appsecret我写固定了，实际是通过客户端获取  所以这里我们可以做很多 比如判断appid和appsecret有效性等
        if($ori_str){       //重新获取就把以前的token删除
            S($ori_str,null);
        }
        //这里是token产生的机制  您也可以自己定义
        $nonce = $this->createNoncestr(32);
        $tmpArr = array($nonce,$this->appid,$this->appsecret);
        sort($tmpArr, SORT_STRING);
        $tmpStr = implode( $tmpArr );
        $tmpStr = sha1( $tmpStr );
        // echo $tmpStr;
        //这里做了缓存 &#39;a&#39;=>b 和&#39;b&#39;=>a格式的缓存
        S($this->appid.&#39;_&#39;.$this->appsecret,$tmpStr,7200);  
        S($tmpStr,$this->appid.&#39;_&#39;.$this->appsecret,7200);
    }
     /**
     *  作用：产生随机字符串，不长于32位
     */
     function createNoncestr( $length = 32 ) 
    {
        $chars = "abcdefghijklmnopqrstuvwxyz0123456789";  
        $str ="";
        for ( $i = 0; $i < $length; $i++ )  {  
            $str.= substr($chars, mt_rand(0, strlen($chars)-1), 1);  
        }  
        return $str;
    }     
}

I don’t need to write the specific verification method. In this way, we only need to give the appid and appsecret to the app front-end developer and tell him how to use it. The token is the only token. Only when the token is valid can it be executed downwards. Thus security can be guaranteed to a certain extent.

Recommended learning: "The latest 10 thinkphp video tutorials"

The above is the detailed content of Let's talk about TP's security verification issues in the app interface development process. For more information, please follow other related articles on the PHP Chinese website!

Statement

This article is reproduced at:juejin. If there is any infringement, please contact admin@php.cn delete

thinkphp是不是国产框架Sep 26, 2022 pm 05:11 PM

thinkphp是国产框架。ThinkPHP是一个快速、兼容而且简单的轻量级国产PHP开发框架，是为了简化企业级应用开发和敏捷WEB应用开发而诞生的。ThinkPHP从诞生以来一直秉承简洁实用的设计原则，在保持出色的性能和至简的代码的同时，也注重易用性。

一起聊聊thinkphp6使用think-queue实现普通队列和延迟队列Apr 20, 2022 pm 01:07 PM

本篇文章给大家带来了关于thinkphp的相关知识，其中主要介绍了关于使用think-queue来实现普通队列和延迟队列的相关内容，think-queue是thinkphp官方提供的一个消息队列服务，下面一起来看一下，希望对大家有帮助。

thinkphp的mvc分别指什么Jun 21, 2022 am 11:11 AM

thinkphp基于的mvc分别是指：1、m是model的缩写，表示模型，用于数据处理；2、v是view的缩写，表示视图，由View类和模板文件组成；3、c是controller的缩写，表示控制器，用于逻辑处理。mvc设计模式是一种编程思想，是一种将应用程序的逻辑层和表现层进行分离的方法。

实例详解thinkphp6使用jwt认证Jun 24, 2022 pm 12:57 PM

本篇文章给大家带来了关于thinkphp的相关知识，其中主要介绍了使用jwt认证的问题，下面一起来看一下，希望对大家有帮助。

thinkphp扩展插件有哪些Jun 13, 2022 pm 05:45 PM

thinkphp扩展有：1、think-migration，是一种数据库迁移工具；2、think-orm，是一种ORM类库扩展；3、think-oracle，是一种Oracle驱动扩展；4、think-mongo，一种MongoDb扩展；5、think-soar，一种SQL语句优化扩展；6、porter，一种数据库管理工具；7、tp-jwt-auth，一个jwt身份验证扩展包。