What this article brings to you is about PHP interface security: four solutions for PHP interface encryption, which have certain reference value. Friends in need can refer to them. I hope it will be helpful to you.
As an Internet Coder, whether you are a front-end or a back-end, you must have a certain understanding of http requests, know http characteristics, and clearly understand what Request and Response are in http. , know why there are cookies, sessions, and the meaning and necessity of verification codes on websites. Because discussing the security of APP interfaces is discussing the security of HTTP requests.
Generally on the PC side, we use encrypted cookies to identify members and maintain sessions; however, cookies belong to the local storage function of the browser. The APP side cannot be used, so we have to identify members through token parameters; and how to deal with this token?
First of all, let’s talk about the four solutions I went through before encrypting the interface:
Option 1
and APP development People agree on a specific md5 combination algorithm, and then compare the two ends. If they are the same, allow, if not, deny;
However, this is also unsafe. If the APP program is decompiled, these agreed algorithms will be exposed. , especially in Android APP, with the algorithm, it is possible to simulate the interface request and pass the verification;
Option 2
The password of the database membership table is randomly encrypted And double-encrypted md5 value; when the user logs in, I return the member's corresponding uid and password. Although the password is in plain text, others cannot log in if they know it. After all, it is encrypted, and every time the interface is requesteduser_id=333&token=aa37e10c7137ac849eab8a2d5020568f
, through the primary key uid, you can quickly find the token corresponding to the current uid, and then compare it;
But this idea is too yang too simple, although the person who captures the packet cannot pass the password However, once the token is known, unless the user changes the password, the user can always use this token to operate the relevant interface of the member;
Option 3
Using a symmetric encryption algorithm, this encryption algorithm performs time-sensitive encryption on the uid website public key
and is available within a certain time limit. When the member logs in successfully, the server encrypts the ID and returns it to the client. The client brings this parameter every time it requests the interface, and the server authenticates through decryption;
But doing so is also unsafe. Because, to protect ourselves from the outside, we cannot protect ourselves from the inside. I heard that the Ctrip outage this time was due to the malicious operations of internal employees who resigned. If internal malicious personnel know the corresponding algorithm rules, they can still operate relevant members through the interface even if they do not have database permissions;
Option 4
Request when members log in Log in to the interface, and then the server returns a token to the client. The rules for generating the token are The current uid of the website public key and the current timestamp of a random number
Double encryption, depending on the needs, decide whether to put the token into the cache, etc. It will automatically expire after a period of time. It is better to put it into the database (if you want to put it into the database, create a separate table to record the user's login and logout time). Change it when the user logs out to ensure that the token only Can be useful when users manually log out and log in.
To ensure security, users should be allowed to log out automatically within a period of time; this solution, combined with the permission management of Linux and database, can prevent both external and internal protection;
The data format is best to use JSON format data, because JSON has better cross-platform performance. When generating JSON, pay attention to the two formats of json: object (dictionary) and array; there is no similar foreach in PHP in mobile development languages. It cannot traverse objects, but can only traverse arrays. Their operations on objects are generally through Key name to get the key value.
Whether it is success or failure. The interface must provide clear data status information and cannot return NULL. If NULL is returned, it will crash on the IOS side.
Related recommendations:
How does PHP realize the generation and identification of QR codes (code)
php Implementation code for exporting Excel files in csv format
How to implement real-time editing of tables with php and ajax (code attached)
The above is the detailed content of PHP interface security: four solutions for PHP interface encryption. For more information, please follow other related articles on the PHP Chinese website!