保护 php api 以在 android 应用程序中使用 [英] Securing php api to use in android application
问题描述
我是安卓开发的新手.我正在使用 android studio
开发应用程序.我做过的事情
I am newbie to android development. I am using android studio
for developing an application. Things i have done
- 在
MySQL
中创建了一个带有两个表的DB
. - 为
GET
和POST
方法创建了两个单独的api
. - 成功访问了两个
api的
- Created a
DB
with two tables in it inMySQL
. - Created two separate
api's
for bothGET
andPOST
methods. - Successfully accessed both
api's
我现在取得的成就
- 能够从 GET
api
中GET
数据. - 能够使用POST
api
POST
数据我现在要做的事情
我希望我的 api 在线发布,即我想将我的服务部署到服务器并访问它们.此时,我能够在服务器上部署服务并访问它们.
I want my api to publish online, i.e. I want to deploy my services into a server and access them. At this point i am able to deploy the services on the server and accessed them.
现在我希望我的服务(api's
)得到保护.为此,我搜索了许多文章并找到了两种方法.
Now i want my services(api's
) to be secured. For that i have searched many articles and found two ways.
- 使用
yii
框架.有人告诉我使用它,因为它会自动保护api 的
.但我不确定它是否有. - 手动保护
api的
- Use
yii
framework. Someone told me to use it because it automatically secured theapi's
. But i don't know for sure whether it do or not. - Manually secure the
api's
至于 1
点,该框架会有所帮助,但它对我来说是新的,需要时间来配合它,因为我已经创建了 Web 服务.
As for point 1
the framework will be helpful but it's new to me and it will take time to coop with it as i am already created the web services.
对于 2
我得到了一些信息
For point 2
i got some information
这两个链接似乎都不错,但链接 1
并没有给我太多相关信息.
Both links seems to be good but link 1
doesn't gives me much info on that.
显然我想保护我的 api
现在是代码部分
GET_DATA.php
require_once ('config.php');
$sql = "SELECT * FROM users";
$r = mysqli_query($con,$sql);
$result = array();
while($row = mysqli_fetch_array($r)){
array_push($result,array(
'Id'=>$row['Id'],
'Name'=>$row['Name']
));}
echo json_encode(array('users'=>$result));
echo json_encode(array('users'=>$result));
POST_DATA.php
require_once ('config.php');
$return_arr = array();
$UserId=($_POST['UserId']);
$Latitude=($_POST['Latitude']);
$Longitude=($_POST['Longitude']);
$DateTime=($_POST['DateTime']);
$user_register_sql1 = "INSERT INTO `activity`(`Id`,`UserId`, `Latitude`,`Longitude`,`DateTime`) values (NULL,'".$UserId."','".$Latitude."','".$Longitude."','".$DateTime."')";
mysqli_query ($con,$user_register_sql1);
$row_array['errorcode1'] = 1;
我有一个 user class
,从中我可以得到 username
和 ID
I have a user class
from which i am getting username
and ID
JSONfunctions.java
该类负责从api
public static JSONObject getJSONfromURL(String url)
{
String json = "";
JSONObject jsonObject = null;
try
{
HttpClient httpClientt = new DefaultHttpClient();
HttpGet httpGet = new HttpGet(url);
HttpResponse httpResponse = httpClientt.execute(httpGet);
BufferedReader br = new BufferedReader(new InputStreamReader(httpResponse.getEntity().getContent()));
StringBuffer sb = new StringBuffer();
String line = "";
while ((line = br.readLine()) != null) {
sb.append(line);
}
json = sb.toString();
} catch (ClientProtocolException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
}
try
{
jsonObject = new JSONObject(json);
} catch (JSONException e) {
e.printStackTrace();
}
return jsonObject;
}
PutUtility.Java
该类负责POST
方法
public void setParam(String key, String value) {
params.put(key, value);
}
public String postData(String Url) {
StringBuilder sb = new StringBuilder();
for (String key : params.keySet()) {
String value = null;
value = params.get(key);
if (sb.length() > 0) {
sb.append("&");
}
sb.append(key + "=" + value);
}
try {
// Defined URL where to send data
URL url = new URL(Url);
URLConnection conn = null;
conn = url.openConnection();
// Send POST data request
httpConnection = (HttpURLConnection) conn;
httpConnection.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
httpConnection.setRequestMethod("POST");
httpConnection.setDoInput(true);
httpConnection.setDoOutput(true);
OutputStreamWriter wr = null;
wr = new OutputStreamWriter(conn.getOutputStream());
wr.write(sb.toString());
wr.flush();
BufferedReader in = new BufferedReader(
new InputStreamReader(httpConnection.getInputStream()));
String inputLine;
response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
} catch (MalformedURLException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
}finally {
try {
reader.close();
} catch (IOException e) {
e.printStackTrace();
}
}
return response.toString();
}
MainActivity.java
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
_latitude = (TextView)findViewById(R.id.latitude);
_longitude = (TextView)findViewById(R.id.longitude);
btn_get_coordinates = (Button)findViewById(R.id.button);
btn_save_data = (Button)findViewById(R.id.btn_save);
btn_save_data.setOnClickListener(new View.OnClickListener() {
@Override
public void onClick(View v) {
if(UserId.toString()== "" || Latitude.toString() == "" || Longitude.toString() == "" || DateTime.toString() == "")
{
Toast.makeText(getApplicationContext(), "Data Not Saved !!!! Please select appropriate data to save", Toast.LENGTH_SHORT).show();
}
new ServiceLogin().execute(UserId, Latitude, Longitude, DateTime);
}
});
// Download JSON file AsyncTask
new DownloadJSON().execute();
}
// Download JSON file AsyncTask
private class DownloadJSON extends AsyncTask<Void, Void, Void>
{
@Override
protected void onPreExecute() {
super.onPreExecute();
progressDialog = new ProgressDialog(MainActivity.this);
progressDialog.setMessage("Fetching Users....!");
progressDialog.setCancelable(false);
progressDialog.show();
}
@Override
protected Void doInBackground(Void... params) {
// Locate the Users Class
users = new ArrayList<Users>();
// Create an array to populate the spinner
userList = new ArrayList<String>();
// http://10.0.2.2:8000/MobileApp/index.php
//http://10.0.2.2:8000/app/web/users/
//http://192.168.100.8:8000/app/web/users/
// JSON file URL address
jsonObject = JSONfunctions.getJSONfromURL("http://192.168.100.9:8000/MobileApp/GET_DATA.php");
try
{
JSONObject jobj = new JSONObject(jsonObject.toString());
// Locate the NodeList name
jsonArray = jobj.getJSONArray("users");
for(int i=0; i<jsonArray.length(); i++)
{
jsonObject = jsonArray.getJSONObject(i);
Users user = new Users();
user.setId(jsonObject.optString("Id"));
user.setName(jsonObject.optString("Name"));
users.add(user);
userList.add(jsonObject.optString("Name"));
}
} catch (JSONException e) {
Log.e("Error", e.getMessage());
e.printStackTrace();
}
return null;
}
@Override
protected void onPostExecute(Void args)
{
// Locate the spinner in activity_main.xml
Spinner spinner = (Spinner)findViewById(R.id.spinner);
// Spinner adapter
spinner.setAdapter(new ArrayAdapter<String>(MainActivity.this, android.R.layout.simple_spinner_dropdown_item, userList));
// Spinner on item click listener
spinner.setOnItemSelectedListener(new AdapterView.OnItemSelectedListener() {
@Override
public void onItemSelected(AdapterView<?> parent, View view, int position, long id) {
textViewResult = (TextView)findViewById(R.id.textView);
// Set the text followed by the position
textViewResult.setText("Hi " + users.get(position).getName() + " your ID is " + users.get(position).getId());
UserId = String.valueOf(users.get(position).getId());
progressDialog.dismiss();
_latitude.setText("");
_longitude.setText("");
Latitude = null;
Longitude= null;
}
@Override
public void onNothingSelected(AdapterView<?> parent) {
textViewResult.setText("");
}
});
}
}
由于我是新手,所以我不知道在 php
脚本中该做什么以及在我的 android 代码中做什么:(.如果有人可以指导我或给我遵循的教程.
As i am newbie, so i don't know what to do in php
script and what to do in my android code :(. It would be very helpful if anyone can guide me or give me a tutorial that i follow.
任何帮助将不胜感激.
推荐答案
为了保护您的 API,您需要一种机制来检测对 API 的请求是否来自受信任的来源.默认情况下,许多框架都带有此功能.
To secure your APIs, you need a mechanism to detect that the request to the api is made from a trusted source. Many frameworks come with this feature by default.
但是,您可以将 JSON 网络令牌 (jwt) 与 PHP 结合使用来为您的 api 请求添加授权
However you can just use JSON Web Tokens (jwt) with PHP to add authorization to your api requests
Learn about token based authentication from this page.
查看此简单教程 关于如何使用 JWT 保护您的 PHP api 端点.
Check out this simple tutorial on how to secure your PHP api endpoints with JWT.
如果您需要更高的安全性,您可能希望将 OAuth 提供程序服务添加到您的 API.查看这篇关于 如何编写 OAuth 提供程序的帖子PHP
If you need even more security you might want to add OAuth provider service to your API. check out this post on how to write OAuth provider in PHP
这篇关于保护 php api 以在 android 应用程序中使用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!