使用 PHP/MYSQL 构建安全的公共 API [英] Building Secure Public API with PHP/MYSQL

问题描述

我目前正在为一个非常繁忙的互联网网站构建 API.它是用 PHP 和 MySQL 编写的.现在这是我编写的第一个 API，它允许人们远程访问他们的帐户.API 上线后，开发人员将能够使用它编写自己的工具.

I'm currently building an API for a very busy internet website. Its being written in PHP with MySQL. Now this is my first API that i'm writing that allows people to access their account remotely. Once the API is online, developers will be able to write their own tools from it.

现在我的 API 可以工作了，但我不确定它是否完全安全.

Now I have the API working, but I'm not sure if its entirely safe.

可以使用的示例 URL 是:http://domain.com/api.php?api_option=list&api_user_name=USERNAME&api_user_password=PASSWORD

An example URL that would work is: http://domain.com/api.php?api_option=list&api_user_name=USERNAME&api_user_password=PASSWORD

USERNAME:将是用户的实际用户名

USERNAME: would be the users actual username

PASSWORD:将是他们实际密码的 MD5 编码字符串.

PASSWORD: would be the MD5 encoded string of their actual password.

如果详细信息匹配，则返回结果，如果不匹配，则返回错误.

If the details match, a result is returned, if not, and error.

所有外部 $_GET 输入都得到 mysql_real_escape_string() 处理.

All external $_GET inputs get the mysql_real_escape_string() treatment.

我想让事情保持简单，但我不确定这种方式是否是一种拥有直接访问用户帐户数据的公共 API 的安全方式.

I wanted to keep things simple, but I'm not sure if this way is a SAFE way of having a public API that taps directly into users accounts data.

非常感谢您的想法和建议.

Ideas and suggestions are much appreciated.

推荐答案

如何使用 HMAC_SHA1 和用户密码对请求进行签名?例如，您的网址:http://domain.com/api.php?api_option=list&api_user_name=USERNAME&api_user_password=PASSWORD

How about signing requests using HMAC_SHA1 and the user's password? For example, your URL: http://domain.com/api.php?api_option=list&api_user_name=USERNAME&api_user_password=PASSWORD

添加时间戳和/或随机字符串(nonce)并构建规范化的 base_string:

Add the timestamp and/or a random string (nonce) and build a normalized base_string:

$base_string = "api_option=list&api_user_name=USERNAME&timestamp=1296875073&nonce=hgg65JHFj";
$signature = hmac_sha1($base_string, PASSWORD);

那么新的 URL 将是:http://domain.com/api.php?api_option=list&api_user_name=USERNAME&timestamp=1296875073&nonce=hgg65JHFj&signature=kfvyhgfytgyr6576yfgu

then the new URL would be: http://domain.com/api.php?api_option=list&api_user_name=USERNAME&timestamp=1296875073&nonce=hgg65JHFj&signature=kfvyhgfytgyr6576yfgu

您的服务器所做的是获取所有选项，不包括签名，然后使用相同的方法生成签名并将其与客户端发送的签名进行比较，这应该是相同的.

What your server does is to get all the options, excluding the signature, then generate the signature using the same method and compare it to the signature sent by the client, which should be the same.

这篇关于使用 PHP/MYSQL 构建安全的公共 API的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！