使用 PHP/MYSQL 构建安全的公共 API
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/4900918/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Building Secure Public API with PHP/MYSQL
提问by Mr.Boon
I'm currently building an API for a very busy internet website. Its being written in PHP with MySQL. Now this is my first API that i'm writing that allows people to access their account remotely. Once the API is online, developers will be able to write their own tools from it.
我目前正在为一个非常繁忙的互联网网站构建 API。它是用 PHP 和 MySQL 编写的。现在这是我编写的第一个 API,它允许人们远程访问他们的帐户。一旦 API 上线,开发人员将能够从中编写自己的工具。
Now I have the API working, but I'm not sure if its entirely safe.
现在我的 API 可以工作了,但我不确定它是否完全安全。
An example URL that would work is: http://domain.com/api.php?api_option=list&api_user_name=USERNAME&api_user_password=PASSWORD
一个可行的示例 URL 是: http://domain.com/api.php?api_option=list&api_user_name=USERNAME&api_user_password=PASSWORD
USERNAME: would be the users actual username
USERNAME: 将是用户的实际用户名
PASSWORD: would be the MD5 encoded string of their actual password.
PASSWORD: 将是他们实际密码的 MD5 编码字符串。
If the details match, a result is returned, if not, and error.
如果详细信息匹配,则返回结果,如果不匹配,则返回错误。
All external $_GETinputs get the mysql_real_escape_string()treatment.
所有外部$_GET输入都得到mysql_real_escape_string()处理。
I wanted to keep things simple, but I'm not sure if this way is a SAFE way of having a public API that taps directly into users accounts data.
我想让事情保持简单,但我不确定这种方式是否是一种拥有直接访问用户帐户数据的公共 API 的安全方式。
Ideas and suggestions are much appreciated.
非常感谢您的想法和建议。
采纳答案by Arvin
How about signing requests using HMAC_SHA1 and the user's password? For example, your URL: http://domain.com/api.php?api_option=list&api_user_name=USERNAME&api_user_password=PASSWORD
如何使用 HMAC_SHA1 和用户密码签署请求?例如,您的网址:http://domain.com/api.php?api_option=list&api_user_name=USERNAME&api_user_password=PASSWORD
Add the timestamp and/or a random string (nonce) and build a normalized base_string:
添加时间戳和/或随机字符串(nonce)并构建规范化的 base_string:
$base_string = "api_option=list&api_user_name=USERNAME×tamp=1296875073&nonce=hgg65JHFj";
$signature = hmac_sha1($base_string, PASSWORD);
then the new URL would be: http://domain.com/api.php?api_option=list&api_user_name=USERNAME×tamp=1296875073&nonce=hgg65JHFj&signature=kfvyhgfytgyr6576yfgu
那么新的 URL 将是:http: //domain.com/api.php?api_option=list&api_user_name=USERNAME×tamp=1296875073&nonce=hgg65JHFj&signature=kfvyhgfytgyr6576yfgu
What your server does is to get all the options, excluding the signature, then generate the signature using the same method and compare it to the signature sent by the client, which should be the same.
您的服务器所做的是获取所有选项,不包括签名,然后使用相同的方法生成签名并将其与客户端发送的签名进行比较,这应该是相同的。
回答by Spencer Hakim
Please, for the love of the Internet, DO NOT DO THIS. I imploreyou to put the time into implementing OAuth for your API. Please. Please please please.
出于对互联网的热爱,请不要这样做。我恳请您花时间为您的 API 实现 OAuth。请。拜托拜托拜托了。
Take a look at this: http://toys.lerdorf.com/archives/55-Writing-an-OAuth-Provider-Service.html
看看这个:http: //toys.lerdorf.com/archives/55-Writing-an-OAuth-Provider-Service.html
回答by Darren
Do not use a password for API clearance, even if it is encoded, especially if it is encoded in MD5. Furthermore I would not use the users username as well. Let the user generate a key. You are giving someone the ability to know 50% of what they need to know to access a user's account, and MD5 has a lot of sites that you can reverse it and find a password match. A key is certainly the best way to go so a developer could regenerate it further down the road for security purposes. Always think of security.
不要将密码用于 API 清除,即使它已编码,尤其是在以 MD5 编码的情况下。此外,我也不会使用用户用户名。让用户生成密钥。您让某人能够了解他们访问用户帐户所需了解的 50% 的信息,而 MD5 有很多站点,您可以将其反转并找到密码匹配项。密钥当然是最好的方法,因此开发人员可以出于安全目的进一步重新生成它。总是想到安全。
