建设有PHP / MySQL的安全的公共API [英] Building Secure Public API with PHP/MYSQL

问题描述

我目前正在建设一个API，用于一个非常繁忙的互联网网站。它被写入PHP与MySQL。现在，这是我第一次的API，我正在写，使人们能够远程访问他们的帐户。一旦API在线，开发人员将能够从它写自己的工具。

I'm currently building an API for a very busy internet website. Its being written in PHP with MySQL. Now this is my first API that i'm writing that allows people to access their account remotely. Once the API is online, developers will be able to write their own tools from it.

现在我有API的，但我不知道它完全是安全的。

Now I have the API working, but I'm not sure if its entirely safe.

一个例子网址，将工作是：<一href=\"http://domain.com/api.php?api_option=list&api_user_name=USERNAME&api_user_password=PASSWORD\">http://domain.com/api.php?api_option=list&api_user_name=USERNAME&api_user_password=PASSWORD

An example URL that would work is: http://domain.com/api.php?api_option=list&api_user_name=USERNAME&api_user_password=PASSWORD

USERNAME：将用户的实际用户名

USERNAME: would be the users actual username

密码：会是MD5恩的实际密码codeD字符串

PASSWORD: would be the MD5 encoded string of their actual password.

如果细节匹配，则返回一个结果，如果没有，和错误

If the details match, a result is returned, if not, and error.

所有的外部$ _GET投入获得mysql_real_escape_string（）的治疗。

All external $_GET inputs get the mysql_real_escape_string() treatment.

我希望让事情变得简单，但我不知道这种方式是具有可以直接连接用户的公开API的安全的方式核算数据。

I wanted to keep things simple, but i'm not sure if this way is a SAFE way of having a public API that taps directly into users accounts data.

的意见和建议是多AP preciated。

Ideas and suggestions are much appreciated.

推荐答案

如何使用HMAC_SHA1和用户的密码签名请求？例如，您的网址： <$c$c>http://domain.com/api.php?api_option=list&api_user_name=USERNAME&api_user_password=PASSWORD

How about signing requests using HMAC_SHA1 and the user's password? For example, your URL: http://domain.com/api.php?api_option=list&api_user_name=USERNAME&api_user_password=PASSWORD

添加时间戳和/或一个随机字符串（随机数），并建立一个标准化的base_string：

Add the timestamp and/or a random string (nonce) and build a normalized base_string:

$base_string = "api_option=list&api_user_name=USERNAME&timestamp=1296875073&nonce=hgg65JHFj";
$signature = hmac_sha1($base_string, PASSWORD);

那么新的网址是：
<一href=\"http://domain.com/api.php?api_option=list&api_user_name=USERNAME&timestamp=1296875073&nonce=hgg65JHFj&signature=kfvyhgfytgyr6576yfgu\" rel=\"nofollow\">http://domain.com/api.php?api_option=list&api_user_name=USERNAME&timestamp=1296875073&nonce=hgg65JHFj&signature=kfvyhgfytgyr6576yfgu

你的服务器确实是让所有的选项，不包括签名，然后用同样的方法生成签名，并将其与客户端发送的签名，这应该是相同的。

What your server does is to get all the options, excluding the signature, then generate the signature using the same method and compare it to the signature sent by the client, which should be the same.

这篇关于建设有PHP / MySQL的安全的公共API的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！