{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 叛逆 的问题《PHP API Key Generator》','https://www.manongdao.com/q-106353.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
Does anyone know of any API key generator script/class for PHP? The class should have method generate, that would generate a key and isValid() method, to check if the key is valid.
相关问题
- Views base64 encoded blob in HTML with PHP
- Laravel Option Select - Default Issue
- PHP Recursively File Folder Scan Sorted by Modific
- Can php detect if javascript is on or not?
- Using similar_text and strpos together
GUID would work but is not cryptographically secure.
Server answers use md5 or sha1 hashing methods on microtime() or mt_rand.
Hashing a uniqid, uuid or timestamp would not necessarily create unique results! Actually hashing increases the chance of collisions so I would strongly advise against this.
There are multiple ways to generate API keys. I've used following 3 methods depending on the applications,
Base62(random). Generate a large secure random number and Base-62 encode it. The key looks like "w5vt2bjzf8ryp63t". This is good for self-provisioned system. You don't have to worry about collision and inappropriate keys. You have to check database to know if the key is valid.
Base62(MD5-HMAC(key, Normalize(referer))). This works great if the API is only allowed from one site. Just check the HMAC of the normalized referer and you know if the key is valid, no database access. You need to keep the HMAC key secret to do this.
Human assigned friendly names like "example.com". This works great if API users are required to own a domain or they are your corporate partners.
Please keep in mind that there is no security in API keys. It's just a name assigned to your API application. More and more people are using terms like "App ID" or "Dev ID" to reflect what it really is. You have to assign another secret key if you want secure your protocol, like
consumer_key/consumer_secretin OAuth.Well as it has been mentioned, it is all dependant on the situation. One method that I needed to use was to authenticate a referer url with a specifically assigned API key. So with the API key all that was really needed was (pseudo)
key = md5(referer url + name + salt)which you then can have a checksum for. I know it has been mentioned similar to this before, but it is just that way. As for the isValid() function, all you need to do with this is compare it against the checksum and URL.Edit: Just realised the age of the original question :S
Here is my simple answer to this question:
just use something like this (pseudo code)
sha1(salt + time + mac-addr + another salt + some other random data)crc32 or md5 would also work inestead of sha1 and store it in a database and then isValid() checks the db if the key exists?See
uniqid: