Codeigniter 网络服务 [英] Codeigniter web services

问题描述

我使用的是 Codeigniter 1.7.有没有人有使用 PHP 创建 Web 服务的经验，尤其是在 CodeIgniter 框架内?在实施 Web 服务时需要考虑哪些安全措施?如何使用 API 密钥提供身份验证?

I'm using Codeigniter 1.7. Does anyone have any experience of creating web services with PHP, particularly within the CodeIgniter framework? What are security measures need to consider while implementing web services? How to provide authentication with API keys?

有什么想法吗?

推荐答案

这取决于您要查询的 Web 服务类型.例如，Web 服务将成为守护进程吗?或典型的在线网络服务.对于其中任何一个，您都必须实现 RESTful 类型.RESTful 意味着无状态连接.这是使用 API 密钥的地方；例如识别用户.

It depends on the kind of web service you are inquiring about. Is the web service going to be a daemon for example? or a typical online web service. For either of these you must implement a RESTful type. RESTful meaning a stateless connection. This is where API keys are used; to identity a user for example.

幸运的是，Codeigniter 是一款拥有许多库和扩展的软件.此类库的示例如下:https://github.com/philsturgeon/codeigniter-restserver

Luckily Codeigniter is one with many libraries and extensions. An example of such libraries can be here: https://github.com/philsturgeon/codeigniter-restserver

现在出于安全考虑:API 密钥将替换会话或任何状态.您必须对 api 进行全面检查.许多实施 API 的网站针对相同的最终结果提供了不同的解决方案.

Now for security concerns: API keys would replace sessions or any state. You would have to make full checks on the api. Many sites that implement APIs offer different solutions to the same end result.

使用 API 密钥进行身份验证很简单.您将根据存储类型(数据库)检查它.

Authentication with API keys are simple. You would check it against a storage type(database).

这是使用 codeigniter 和之前链接的库的教程:http://net.tutsplus.com/tutorials/php/working-with-restful-services-in-codeigniter-2/

Here is a tutorial using codeigniter and the library linked previously: http://net.tutsplus.com/tutorials/php/working-with-restful-services-in-codeigniter-2/

这可能有点含糊，但由于您没有任何具体问题或明显需求，因此很难具体说明.

This might be somewhat vague, but since you dont have any specific problems or apparent needs its hard to be specific.

在这种情况下，最好实现 RESTful 接口，以便您的 iphone 应用程序也可以使用您的服务提供的所有用户功能.最好的方法是让一切都以一种方式访问​​.这意味着 iPhone 连接和网络连接没有不同的控制器/模型.

In that case it would be better implementing a RESTful interface so that your iphone app can also use all of the user functionalities that your service provides. The best way would be to make everything accessible in one way. Meaning not having different controllers / models for the iphone connections and web connections.

例如，您可以拥有以下控制器:

So for example you could have the following controller:

<?php

class Auth extends CI_Controller{

    public function login(){
      //Check if their accessing using a RESTful interface;
      $restful = $this->rest->check();
      if($restful){
         //Check for the API keys;
         $apiKey    = $this->input->get('apiKey');
         $secretKey = $this->input->get('secretKey');

         //If you have any rules apon the keys you may check it (i.e. their lengths,                 
         //character restrictions, etc...)
         if(strlen($apiKey) == 10 and strlen($secretKey) == 14)
         {
           //Now check against the database if the keys are acceptable;
           $this->db->where('apiKey', $apiKey);
           $this->db->where('secretKey', $secretKey);
           $this->db->limit(1);
           $query = $this->db->get('keys');
           if($this->db->count_all_results() == 1)
           {
             //It's accepted the keys now authenticate the user;
             foreach ($query->result() as $row)
             {
                $user_id = $row->user_id;
                //Now generate a response key;
                $response_key = $this->somemodel->response_key($user_id);
                //Now return the response key;
                die(json_encode(   array(
                                         'response_key' => $response_key, 
                                         'user_id' => $user_id
                                   )
                               )
                   );

             } //End of Foreach
           }//End of Result Count
         }//End of length / character check;
      } else {
        //Perform your usual session login here...;

      }
   }
}

?>

现在这只是执行这些类型请求的一个小例子.这可以适用于任何类型的控制器.虽然这里有几个选择.您可以让每个请求每次都传递 apikey 和密钥，并在每次请求时验证它.或者，您可以拥有某种白名单，一旦您第一次通过验证，之后的每个请求都会被列入白名单，或者被列入黑名单.

Now this is just a small example for performing these types of requests. This could apply to any type of controller. Though there are a few options here. You could make every request pass the apikey, and the secret each time and verify it at each request. Or you could have some sort of whitelist that once you have been verified the first time each request after that would be whitelisted, and or black listed on the opposite.

希望这有帮助，丹尼尔

这篇关于Codeigniter 网络服务的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！