The development process, we often deal with the interface, the interface sometimes is the transfer of the site to others, sometimes your site is to provide an interface for others, but in the process it can not do without the transfer of the signature verification.
When we design signature verification, please pay attention to the following points:
-
Variability: Each signature must be different.
-
Timeliness: each request aging, expired like.
-
Uniqueness: Each signature is unique.
-
Integrity: the ability to validate incoming data against tampering.
A signature generation method parameter sign
Step 1: All the parameters (note that all the parameters) to remove sign itself is empty and the value of the parameter, the parameter names sorted in ascending alphabetical order.
Step 2: then the parameters sorted by a value of the parameter a parameter 2 value 2 ... parameter values of n n (where parameters and values that must be the original values of the transmission parameters, can not be treated, if not the & quot; turn to "and then splicing) is spliced into a string.
Step 3: The front of the character allocated to the access side of the splice verification key key obtained in step 2.
Step 2: a step in front of the string obtained by adding the authentication key key (here, key KEY that is an interface that provides an interface to the assigned access square), then calculate the value md5 obtain 32-bit string, and then turn uppercase.
Step 4: Step 3 md5 calculated value of the string (32), then turn uppercase character string obtained as the value of the sign.
For example:
Assumed that the transmission data is /interface.php?sign=sign_value&p2=v2& p1 = v1 & method = value cancel & p3 = & pn = vn (preferably reality transmitted by way of post), wherein the parameters corresponding to the sign is sign_value signature.
The first step, string concatenation, first removing the sign parameter itself, and then removing the value is null parameter p3, the remaining p2 = v2 & p1 = v1 & method = cancel & amp; pn = vn, and then press the parameter names of characters in ascending order, method = cancel & p1 = v1 & p2 = v2 & pn = vn.
The second step, then do the stitching parameter names and values, and finally get methodcancelp1v1p2v2pnvn
third step, before splicing the resulting string above plus authentication key key, we assume abc, get new string abcmethodcancelp1v1p2v2pnvn
A fourth step, then this string md5 calculated, assuming abcdef is obtained, and then to upper, obtained ABCDEF This value is a sign signature value.
Note, Please ensure that the interface string code before accessing party MD5 calculation, using as a unified coding or GBK utf-8 encoded, encoding is inconsistent if the calculated signature verification will fail.
Second, the signature verification method:
The method according to the rules described earlier sign signature parameters generated, the signature value calculated parameters, and parameter values corresponding to the parameters in the notification sign over the comparison, if it is consistent, then the check is passed, if not, the parameters are described modified.
Third, look at the code directly below
? < PHP // set a public key (key) and a private key (Secret), for distinguishing a user public key, private key encryption of data, is not disclosed $ Key = "c4ca4238a0b923820dcc509a6f75849b" ; $ Secret = "28c8edde3d61a0411511d3b1866f0636" ; // be transmitting packets $ data = Array ( 'username' => '[email protected]', 'Sex' => '. 1', 'Age' => '16', 'addr' => 'Guangzhou', ' Key '=> $ Key , ' timestamp '=> Time (), ); // Get Sign function getSign ( $ Secret ,Data $ ) { // values sorted key array ksort ( $ Data ); // generated in the form of url $ the params = http_build_query ( $ Data ); // generates sign $ sign = MD5 ( $ the params . $ Secret ); return $ sign ; } // transmitted data plus sign Data $ [ 'sign'] = getSign ( $ Secret , $ Data ); / * * * background verification is legitimate sign * @param [type] $ Secret [Description] * @param [type] $ Data [Description] * @ return [of the type] [the Description] * / function verifySign ( $ Secret , $ Data ) { // verify a signed parameter IF (! isset ( $ Data [ 'Sign']) ||! $ Data [ 'Sign' ]) { echo 'signatures are not transmitted data present ' ; Die (); } IF (! isset ( $ data '!) || [ 'timestamp] $ data [' timestamp ' ]) { echo ' parameter transmitted data is illegal ' ; Die (); } // verification request 10 minutes failure IF ( Time () -$ Data [ 'timestamp']> 600 ) { echo 'authentication fails, re-transmission request' ; Die (); } $ Sign = $ Data [ 'Sign' ]; the unset ( $ Data [ 'Sign' ]); ksort ( $ Data ); $ the params = http_build_query ( $ Data ); // $ Secret key query is obtained by api database $ sign2 = MD5 ( $ the params . $ Secret ); IF ( $ Sign == $ sign2) { Die ( 'verified' ); } the else { Die ( 'request is illegal' ); } } ?>