API系统的安全性| PHP 语言
我为我的网站制作了一个 API 脚本,这样人们就可以从另一个网站登录。 它使用 PHP cuRL 将数据发布到我的网站。
我正在使用 api 密钥(网站的 md5 哈希值)通过我的 MySQL 数据库验证网站。 但是,当有人使用我的 API 客户端(PHP cURL)时,他们还可以保存我的用户的用户名和密码。
我怎样才能防止这种情况?
I have made a API script for my website, so people can login from another website.
It's using PHP cuRL to POST data to my website.
I'm using a api key (md5 hash of the website) to verify the website with my MySQL database.
But when someone is using my API Client (PHP cURL), they also can save the username's and passwords of my user's.
How can i prevent this?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
您可能需要考虑使用OAuth。它专为您想做的事情而设计。
You might want to consider using OAuth. It's designed for exactly what you want to do.
如果有人在您自己的网站以外的网站上输入他们的用户名和密码,您无法阻止该网站的所有者捕获它......
I someone is typing their username and password onto a website other than your own, there is no way for you to prevent the owner of the website from capturing it...
您需要做的是让您的站点为用户帐户生成一组安全的凭据,类似于用户名/密码,但仅供 API 使用。此外,还要防止这组新凭据能够执行删除用户帐户或更改电子邮件地址等操作。
此外,如果用户愿意,还可以让用户能够更改其 API 凭据(以防第三方获得该凭据并且用户不再希望他们具有访问权限)。
What you'll want to do is have your site generate a secure set of credentials for the users account, similar to a username/password, but only to be used by the API. Also, prevent this new set of credentials from having the ability to do things like delete the user's account or change email address.
Also, give the users the ability to have their API credentials changed if they want (in case a third party gets it and the user no longer wants them to have access).