php 接口安全性,PHP接口安全处理

/**

* SignCheck : session key 对称式 加密校验.

* 注：公私钥模式可以避免私钥被窃取.

*/

// Client:

$time = time();

$url = "name=dudj&password=123456&telephone=130****8873&time={$time}";

// Client和Server通用私钥.

$uuid = 'b9514c52-5363-4364-b73f-a2ec93ae6b34';

function getSign($url, $uuid, $encode = true)

{

parse_str( $url, $arr );

if (! $encode ) {

unset($arr['sign']);

}

// 1. 参数按首字母排序

ksort($arr, SORT_REGULAR);

$str = http_build_query($arr);

// 2. 参数字符串拼接私钥(TODO自定义)

$new_str = $str . $uuid;

// 3. 生成新sign(TODO自定义)

$sign = openssl_encrypt($new_str, 'AES-128-CBC', $uuid, OPENSSL_RAW_DATA, substr($uuid, 0, 16));

return md5($sign);

}

// 4. 参数拼接sign进行请求

$client_sign = getSign($url, $uuid);

$request_url = $url . "&sign={$client_sign}";

// Server:

// 去除sign重新校验，并检查time有效期

$server_sign = getSign($request_url, $uuid, false);

if(($client_sign == $server_sign) && ((time()-$time)<5)){

echo "{$server_sign} 有效,且在有效期内.\n";

//做接口处理

parse_str( $url, $arr );

var_dump($arr);

}else{

return "非法请求.\n";

}