Php write interface security verification do not understand?

when using php to write an interface, you have to use security verification. I don"t know why I"m a little confused when I think about it recently.
for example, there is an interface address http://test.com/user/list?uid.
. The three parameters above are the id), token values of the: uid (user. Sign (this value is calculated according to the first two parameters under the specified algorithm)
is given to the server, and then the server calculates the sign, according to the same rule to verify whether the passed sign is consistent

.

if the url above is normal, you can get the data. If the url is known by others at this time, and you can see the data as long as you run it in the browser, what is the use of security verification at this time?

Php
Mar.16,2021

whether it is encrypted transmission or plaintext transmission, the browser will become plaintext data after parsing, which is certainly inevitable.

if you want to talk about the role of security verification, you need to explain Token. Token means tokens, passports, and users can perform corresponding operations only after they have obtained token. Without token, is it not possible to forge user requests and operate wantonly?


the security verification of the general interface has a public key and a private key. Only the public key is transmitted and then the token or signature is generated by finding the private key, instead of all the parameters are transmitted openly as now. And the API verifies whether the request identity is correct, not a correct identity request must be in the right place to get the correct answer


  1. you can pass the current timestamp as a parameter, and the interface side determines whether it exceeds the predetermined time when judging the validity of the request. In this way, the sign generated by each interface is different from time to time.
  2. can also be accompanied by an ip check, which is processed only by interface requests sent by the specified server ip.

the landlord mentioned three parameters.
uid (user id) this is the normal parameter
token value, this is the authentication parameter = = "login uses
sign, this is the request signature parameter = =" tamper proof use

after the server receives the request.
the first thing you should do is to verify that sign is legal. If it is illegal, it is considered to be a tampered request to terminate the service.
then authenticates the token, to get the user's identity information.
finally to the business logic.

MySQL Query : SELECT * FROM `codeshelper`.`v9_news` WHERE status=99 AND catid='6' ORDER BY rand() LIMIT 5
MySQL Error : Disk full (/tmp/#sql-temptable-64f5-1e45c30-440a3.MAI); waiting for someone to free some space... (errno: 28 "No space left on device")
MySQL Errno : 1021
Message : Disk full (/tmp/#sql-temptable-64f5-1e45c30-440a3.MAI); waiting for someone to free some space... (errno: 28 "No space left on device")
Need Help?