API权限设计总结 系统sign验证规则
程序员文章站
2022-05-23 09:59:41
...
API权限设计总结 系统sign验证规则
http://my.oschina.net/anziguoer/blog/624840
1. [文件] receive.php
<?php
// 获取post的数组
$key = "c4ca4238a0b923820dcc509a6f75849b";
// $secret 是存储在数据库中, 可以根据传递过来的key在数据中的查询到secretZ12QAZ12
$secret = "28c8edde3d61a0411511d3b1866f0636";
$data = $_POST;
verifySign($secret, $data);
/**
* 验证sign是否合法
* @param [type] $secret [description]
* @param [type] $data [description]
* @return [type] [description]
*/
function verifySign($secret, $data)
{
// 验证参数中是否有签名
if (!isset($data['sign']) || !$data['sign']) {
echo '发送的数据签名不存在';
die();
}
if (!isset($data['timestamp']) || !$data['timestamp']) {
echo '发送的数据参数不合法';
die();
}
// 验证请求, 10分钟失效
if (time() - $data['timestamp'] > 600) {
echo '验证失效, 请重新发送请求';
die();
}
$sign = $data['sign'];
unset($data['sign']);
ksort($data);
$params = http_build_query($data);
$sign2 = md5($params.$secret);
if ($sign == $sign2) {
die('验证通过');
}else{
die('请求不合法');
}
}
?>
2. [文件] request.php
<?php
$key = "c4ca4238a0b923820dcc509a6f75849b";
$secret = "28c8edde3d61a0411511d3b1866f0636";
$data = array(
'username' => 'anziguoer@sina.com',
'sex' => '男',
'age' => '12',
'addr' => '北京市海淀区'
);
// 传递的参数中必须有 key, sign, timestamp
$postData = array(
"key" => $key,
"timestamp" => time()
);
$psotData = array_merge($postData, $data);
$sign = getSign($secret, $psotData);
$postData['sign'] = $sign;
// 获取sign
function getSign($secret, $data)
{
// 对数组的值按key排序
ksort($data);
// 生成url的形式
$params = http_build_query($data);
// 生成sign
$sign = md5($params.$secret);
return $sign;
}
$postData = array_merge($postData, $data);
request($postData);
/**
* 发送服务器的数据
* @param [type] $postData [description]
* @return [type] [description]
*/
function request($postData)
{
$curl = curl_init('http://host/receive.php');
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_POST, TRUE);
curl_setopt($curl, CURLOPT_POSTFIELDS, $postData);
$info = curl_exec($curl);
curl_close($curl);
print_r($info);
} 下一篇: php curl 的几个实例