php - secure access to file_问答_开发者_运维开发者技术经验分享

开发者 https://www.devze.com 2023-03-14 08:52 出处：网络

I have an iphone application that gets data from a set of php files. The php files return XML based on the query string parameters.

I have an iphone application that gets data from a set of php files. The php files return XML based on the query string parameters. What would be the best way to secure and restrict access to these "web services"?

Thank you!

Edit: The server is running CentOS/Apache and I would like to limit access so that only the application will be able to access the files. I don't want the files to be acces开发者_运维技巧sible from outside of the application. (The application will be ported to android and blackberry as well).

You could generate a hash in your iPhone application that gets passed along with the other query strain parameters. The hash should include a "key" (or "shared secret") that's only known by the web server and the iPhone application as well as one or more of the query string parameters that are passed.

The PHP script that will receive the information can then regenerate the hash since it knows the "key". If the "key" matches the one in the query string, the request is valid and came from an iPhone, otherwise it didn't.

Update: To prevent someone from using the same query string to request the same information over and over again, you can add an "expiry" timestamp to the query string and hash and check that the request hasn't expired if the hash is valid.

I can't provide an Objective-C but your PHP script could look like this:

<?php

$hash = md5('SHAREDSECRET'.$_REQUEST['expiry'].$_REQUEST['param1'].$_REQUEST['param2']);

if ( $hash != $_REQUEST['$hash'] || time() > $_REQUEST['expiry'] )
  die('Invalid request.');

// Some additional code here for valid requests.

?>

Based on the example above, you'd want the iPhone application to create an MD5 hash of the shared secret ("SHAREDSECRET" in this case), "param1", and "param2" and include it in the request to the PHP file.

The URL that the iPhone requests should look like this:

http://example.org/file.php?hash=value&expiry=timestamp&param1=value&param2=value

Of course the "key" itself wouldn't be passed in the query string making it difficult for someone to figure out how to get to your information (unless it through the iPhone app of course).

As a first step, you can check if the user-agent matches that of the iphone.

In our case, we compute a hash of a static query param(or path string) combined with a salt and send that as an extra query param. We do the same check on the PHP side to ensure whether the hash is the same. This can be used for any client, but you could have different salt values for each client that talks to your PHP service.