短信接口在业务中是必然会有的,那么怎么保证接口被刷呢?
我简单总结一下我的想法
- 首先可以考虑在页面上加上 验证码。可以减少人为的刷票
- 大量的被刷还应该是直接对接口的调用,这里面应该怎样防止被刷呢
- 可以考虑业务端 和 借口段 对应 token 识别表单令牌是否合法,但是这个令牌必须要一直变。不变的话就没有意义了。(时间,其他的变化的参数都可以成为token的元素)
- 还可以考虑对IP的限制。每个IP不可以调用太多的接口
- 每个手机号每天的调用次数也要限制
- 这些都有可能被攻克,做好预警监控机制。一段时间短信变化明显,或者超过预期的数量,要及时查看系统是否正常运行,
/**
* 手机登录验证码
* @author marain
* @time 2017-06-27
*
*/
public function get_code(){
$phone = $_REQUEST['tel'];
$token_key = $_REQUEST['token_key'];
$key='marain';
$now=date('Y-m-d');
$signkey=md5($key.$now.$phone.'marain'); //根据手机号和时间产生 token
if ($token_key !== $signkey){
$result = array();
$result['code'] =400;
$result['msg'] ='4001:令牌错误';
$result['info'] = '';
echo json_encode($result);
exit();
}
if ($phone==''){
$result = array();
$result['code'] =400;
$result['msg'] ='4002:电话不能为空';
$result['info'] = '';
echo json_encode($result);
exit();
}
if (!preg_match("/^1[34578]\d{9}$/", $phone)){
$result = array();
$result['code'] =400;
$result['msg'] ='4003:电话格式不正确';
$result['info'] = '';
echo json_encode($result);
exit();
}
$ip=get_client_ip();
$where_ip['create_ip']=$ip;//ip控制
$sms_data = M('App_sms')->where($where_ip)->select();
$today_date = date('Y-m-d');
$total_onoip_count=0;
foreach ($sms_data as $k1=>$v1){
if(substr($v1['create_time'],0,10) == $today_date){
$total_onoip_count++;
}
}
if (count($sms_data) > 500){
//ip 大于500报警
}
if ($total_onoip_count> 100){
//单日ip 大于100报警
}
$where_who['tel_number']=$phone;
$sms_data = M('App_sms')->where($where_who)->order("id desc")->select();
//这个手机号没有注册
if(empty($sms_data)){
$code = $this->_create_code();
$this->send_sms($phone, $code, $ip);
$result = array();
$result['code'] =200;
$result['msg'] ='获取成功';
$result['info'] = $code;
echo json_encode($result);
exit();
}
$total_send_count = 0;
foreach($sms_data as $key1=>$row1){
if(empty($key1)){
$last_send_time = $row1['create_time'];
}
if(substr($row1['create_time'],0,10) == $today_date){
$total_send_count++;
$code = $row1['code'];
}
}
if(empty($code)) $code = $this->_create_code();
if((strtotime($last_send_time) + 60) > time()){
$result['code'] =400;
$result['msg'] ='4004:获取失败,请不要频繁获取';
$result['info'] = '';
}else{
if($total_send_count < 30){
$this->send_sms($phone, $code, $ip);
$result['code'] =200;
$result['msg'] ='获取成功';
$result['info'] = $code;
}else{
$result['code'] =400;
$result['msg'] ='4005:获取失败,每人每天只能获取三十次验证码';
$result['info'] = '';
}
}
echo json_encode($result);
exit();
}
/**
* 产生验证码
*/
public function _create_code($length=4,$type="number"){
$array = array(
'number' => '0123456789',
'string' => 'ABCDEFGHIJKLMNOPQRSTUVWXYZ',
'mixed' => '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ',
);
$string = $array[$type];
$count = strlen($string)-1;
$rand = '';
for ($i = 0; $i < $length; $i++) {
$rand .= $string[mt_rand(0, $count)];
}
return $rand;
}
private function send_sms($mobile, $code, $ip){
if(empty($mobile) || empty($code) || empty($ip)) return false;
$content = '您的注册验证码是'.$code;
$url='发送短信接口'
//$send_result = file_get_contents($url);
$data = array();
$data['tel_number'] = $mobile;
$data['content'] = $content;
$data['code'] = $code;
$data['create_time'] = date('Y-m-d H:i:s');
$data['create_ip'] = get_client_ip();
$data['send_result'] = $send_result;
$insertid = M('App_sms')->add($data);
if($insertid) return true;
return false;
}