php - Conjecture about the possibility of the interface sign being cracked

Question

<?php

//保密token串
$token = '249238jdush24hgdddf/sds_assd_&ssa23_sd';
//业务参数对开公开
$str = 'name=zhangsan&id=23';
//保密的签名算法
$sign = md5($str.$token);

想请教下大家,我的接口签名是这样封装的，那么sign被破解的可能性大吗？
有其他更高明的接口安全验证方案吗？

Answer 1

As long as your token is not leaked, there will be no problem with this method.
A more confidential solution is to add timestamp. For example, all requests longer than 600 seconds will be invalid.

Answer 2

Add app_id and app_secret, app_secret is confidential

Answer 3

If the requester's IP is relatively fixed, you can add an IP whitelist to verify the IP.