{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 等我变得足够好 的问题《How to restrict access to a PHP file?》','https://www.manongdao.com/q-334007.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I'd like to restrict access to a PHP file on my server. This PHP file takes data from an HTTP GET request and appends it to a file. Simple. But I don't want this PHP file executed unless the HTTP request is generated from within the smartphone app I've developed.
I don't want to authenticate each user individually. I want my app, and only my app, to be able to send the request to the PHP file. I don't want people typing in a similarly formed request (http://www.mydomain.com/check.php?string=blahblahblah) into a browser and have the same impact.
I have thought about checking the HTTP_USER_AGENT, or some other variable, but I fear that they might be easy to spoof too. I could embed a key into my app that I look for, but that key could also be compromised.
The next step would be to have the server send me a challenge to which I respond appropriately. Or I could even look into PKI. But what's a relatively easy way to do this, given that I am not trying to protect anything of real value, just to prevent minor vandalism.
Am I trying to reinvent the wheel here? Is there already an easy, proven way to do this?
Firstly you would need to implement ssl into your app else someone with little knowledge could simply have there phone connected on there wifi and sniff the traffic between the app and your site with wireshark or cain and abel ect. and get the url and any parameters passed, no need to disassemble anything.
App connects to your site and user logs in, whether its a guest or a member your server assigns the app a request id and this key/token is passed along with every request & validated within a session on your server.
The token would look like:
UNIQUE_REQUEST_ID_ASSIGNED_BY_SERVER:APPsIP:APPsTIMEEncrypt this string and send it as a$_GET['token']Then on your server decrypt the string and
explode()the string into its parts and check against a database or session that the request id,ip and the time match ect, if all is good do which ever.Much like a secure login system assign a unique salt for each user and store that along side the users request id.
The bottom line is, just make it hard for an abuser to abuse the system. 99% of people wont even think to fiddle and the other 1% get there ips blocked.