In actual work, it is common to use PHP to write api interfaces. After PHP writes the interface, the front desk can obtain the data provided by the interface through the link, and the returned data is generally divided into For the two cases, xml and json, during this process, the server does not know the source of the request. It may be that someone else illegally calls our interface to obtain data, so security verification must be used.
Verification Principle
Schematic diagram
Principle
It can be seen clearly from the picture that the front desk wants to call interface, several parameters need to be used to generate a signature.
Time stamp: current time
Random number: randomly generated random number
Password : During front-end and back-end development, a logo known to both parties is equivalent to a secret code
Algorithm rules: The agreed-upon operation rules, the above three parameters can use the algorithm rules to generate a signature.
The frontend generates a signature. When accessing the interface is required, the timestamp, random number, and signature are passed to the backend through the URL. After getting the timestamp and random number in the background, it calculates the signature through the same algorithm rules, and then compares it with the passed signature. If it is the same, the data is returned.
Algorithm rules
In front-end and back-end interactions, algorithm rules are very important. The front-end and back-end must calculate signatures through algorithm rules. As for how to formulate the rules, it depends on how you like it.
My algorithm rules are
Time stamp, random number, password are sorted in case order of the first letter
Then Spliced into a string
perform sha1 encryption
and then perform MD5 encryption
Convert to uppercase .
Front desk
I don’t have an actual front desk here. I directly use a PHP file instead of the front desk, and then simulate a GET request through CURL. I am using the TP framework and the URL format is pathinfo format.
Source code
<?php /**
* Created by PhpStorm.
* User: Administrator
* Date: 2017/3/16 0016
* Time: 15:56
*/
namespace Client\Controller;
use Think\Controller;
class ClientController extends Controller{
const TOKEN = 'API';
//模拟前台请求服务器api接口
public function getDataFromServer(){
//时间戳
$timeStamp = time();
//随机数
$randomStr = $this -> createNonceStr();
//生成签名
$signature = $this -> arithmetic($timeStamp,$randomStr);
//url地址
$url = "http://www.apitest.com/Server/Server/respond/t/{$timeStamp}/r/{$randomStr}/s/{$signature}";
$result = $this -> httpGet($url);
dump($result);
}
//curl模拟get请求。
private function httpGet($url){
$curl = curl_init();
//需要请求的是哪个地址
curl_setopt($curl,CURLOPT_URL,$url);
//表示把请求的数据已文件流的方式输出到变量中
curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
$result = curl_exec($curl);
curl_close($curl);
return $result;
}
//随机生成字符串
private function createNonceStr($length = 8) {
$chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
$str = "";
for ($i = 0; $i <h2 style="padding:0px;font-family:'-apple-system', 'SF UI Text', Arial, 'PingFang SC', 'Hiragino Sans GB', 'Microsoft YaHei', 'WenQuanYi Micro Hei', sans-serif, SimHei, SimSun;background-color:rgb(255,255,255);">Server side</h2><p style="font-family:'-apple-system', 'SF UI Text', Arial, 'PingFang SC', 'Hiragino Sans GB', 'Microsoft YaHei', 'WenQuanYi Micro Hei', sans-serif, SimHei, SimSun;background-color:rgb(255,255,255);">Accept foreground data for verification</p><h3 style="padding:0px;font-family:'-apple-system', 'SF UI Text', Arial, 'PingFang SC', 'Hiragino Sans GB', 'Microsoft YaHei', 'WenQuanYi Micro Hei', sans-serif, SimHei, SimSun;background-color:rgb(255,255,255);">Source code</h3><pre style="white-space:pre-wrap;padding:10px;font-size:14px;line-height:22px;background-color:rgba(128,128,128,.05);border:1px solid rgba(128,128,128,.075);" class="brush:php;toolbar:false;"><?php /**
* Created by PhpStorm.
* User: Administrator
* Date: 2017/3/16 0016
* Time: 16:01
*/
namespace Server\Controller;
use Think\Controller;
class ServerController extends Controller{
const TOKEN = 'API';
//响应前台的请求
public function respond(){
//验证身份
$timeStamp = $_GET['t'];
$randomStr = $_GET['r'];
$signature = $_GET['s'];
$str = $this -> arithmetic($timeStamp,$randomStr);
if($str != $signature){
echo "-1";
exit;
}
//模拟数据
$arr['name'] = 'api';
$arr['age'] = 15;
$arr['address'] = 'zz';
$arr['ip'] = "192.168.0.1";
echo json_encode($arr);
}
/**
* @param $timeStamp 时间戳
* @param $randomStr 随机字符串
* @return string 返回签名
*/
public function arithmetic($timeStamp,$randomStr){
$arr['timeStamp'] = $timeStamp;
$arr['randomStr'] = $randomStr;
$arr['token'] = self::TOKEN;
//按照首字母大小写顺序排序
sort($arr,SORT_STRING);
//拼接成字符串
$str = implode($arr);
//进行加密
$signature = sha1($str);
$signature = md5($signature);
//转换成大写
$signature = strtoupper($signature);
return $signature;
}
}Copy after login
Result
string(57) "{"name":"api","age":15,"address":"zz","ip":"192.168.0.1"}"Copy after login
Summary
This method is just one of them. In fact, there are many methods that can be used for security verification.
Related recommendations:
PHP about API interface instance sharing
PHP development API interface code sharing
How to use PHP to call the API interface to implement the weather query function
The above is the detailed content of How to develop api interface security verification example with PHP. For more information, please follow other related articles on the PHP Chinese website!
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
