API权限设计总结 系统sign验证规则
程序员文章站
2022-05-28 17:18:05
...
API权限设计总结 系统sign验证规则
http://my.oschina.net/anziguoer/blog/624840
1. [文件] receive.php
<?php // 获取post的数组 $key = "c4ca4238a0b923820dcc509a6f75849b"; // $secret 是存储在数据库中, 可以根据传递过来的key在数据中的查询到secretZ12QAZ12 $secret = "28c8edde3d61a0411511d3b1866f0636"; $data = $_POST; verifySign($secret, $data); /** * 验证sign是否合法 * @param [type] $secret [description] * @param [type] $data [description] * @return [type] [description] */ function verifySign($secret, $data) { // 验证参数中是否有签名 if (!isset($data['sign']) || !$data['sign']) { echo '发送的数据签名不存在'; die(); } if (!isset($data['timestamp']) || !$data['timestamp']) { echo '发送的数据参数不合法'; die(); } // 验证请求, 10分钟失效 if (time() - $data['timestamp'] > 600) { echo '验证失效, 请重新发送请求'; die(); } $sign = $data['sign']; unset($data['sign']); ksort($data); $params = http_build_query($data); $sign2 = md5($params.$secret); if ($sign == $sign2) { die('验证通过'); }else{ die('请求不合法'); } } ?>
2. [文件] request.php
<?php $key = "c4ca4238a0b923820dcc509a6f75849b"; $secret = "28c8edde3d61a0411511d3b1866f0636"; $data = array( 'username' => 'anziguoer@sina.com', 'sex' => '男', 'age' => '12', 'addr' => '北京市海淀区' ); // 传递的参数中必须有 key, sign, timestamp $postData = array( "key" => $key, "timestamp" => time() ); $psotData = array_merge($postData, $data); $sign = getSign($secret, $psotData); $postData['sign'] = $sign; // 获取sign function getSign($secret, $data) { // 对数组的值按key排序 ksort($data); // 生成url的形式 $params = http_build_query($data); // 生成sign $sign = md5($params.$secret); return $sign; } $postData = array_merge($postData, $data); request($postData); /** * 发送服务器的数据 * @param [type] $postData [description] * @return [type] [description] */ function request($postData) { $curl = curl_init('http://host/receive.php'); curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); curl_setopt($curl, CURLOPT_POST, TRUE); curl_setopt($curl, CURLOPT_POSTFIELDS, $postData); $info = curl_exec($curl); curl_close($curl); print_r($info); }