安全

设计不使用oauth身份验证的安全restful api

admin PHP 暂无评论 2,158 浏览

调用api客户端程序,需要在header处发送 

API_ID: 1

API_TIME: 时间戳

API_HASH:  $clienthash

$user="username";

$publicKey='hello';

$privateKey=  hash_hmac('sha256', $user, $publicKey); 需要先把客户端程序的privateKey存入数据库.

$data=json字符串.

$clienthash = hash_hmac('sha256', API_TIME.API_ID.$data, $privateKey);

API端验证:

$serverHash = hash_hmac('sha256', API_TIME.API_ID.$data, $privateKey);//到数据库查找此客户端的

                    
Read more

php上传类(安全上传类)

admin PHP 暂无评论 1,469 浏览

php上传类(安全上传类)

[php]
<?php
//php文件上传类
//author: lenix 2014.10.7<!--more-->
header("Content-Type:text/html; charset=utf-8");
date_default_timezone_set("Asia/Shanghai");

class UploadFile
{
private $imageType=["image/gif","image/jpeg","image/jpg","image/png","image/x-png","image/bmp","image/x-ms-bmp","image/pjpeg"];//图片类型
private $fileType=["application/zip","application/msexcel","application/xml","application/vnd.ms-excel","application/vnd.openxmlformats-officedocument.wordprocessingml.document","application/mspowerpoint","application/vnd.ms-powerpoint","application/pdf","application/x-shockwave-flash","application/x-rar-compressed","application/x-rar","audio/mpeg","audio/x-ms-wma","flv-application/octet-stream","audio/x-ms-wmv","video/mp4","video/x-flv","audio/x-wav","application/msword","video/mpeg"];//文件类型
private $tmpName;
private $fileName;
private $error;
private $fileSize;//上传文件大小
private $maxSize=10000000;//最大允许上传大小
private $upName;
private $upDir="uploadfile/";//上传目录

//构造函数 默认为图片上传
function __construct($upType="image")
{
$this-&gt;tmpName = $_FILES["file"]["tmp_name"];
$this-&gt;fileName …

        
Read more

apache,nginx上传目录无执行权限的设置方法

admin Nginx 暂无评论 1,611 浏览
至于为什么设置上传目录无权限这个我就不累赘了,现在比较流行的web服务有iis,apache,nginx,使用操作系统无非是windows or *nux
我们来看俩段通常对上传目录设置无权限的列子,配置如下:
复制代码代码如下:
<Directory "/var/www/upload">
<FilesMatch ".php">
Order Allow,Deny
Deny from all
</FilesMatch>
</Directory>

还有网上那个对nginx上传目录无执行权限

复制代码代码如下:
location ~ ^/upload/.*\.(php|php5)$
{
deny all;
}

这些配置表面上看起来是没什么问题的,确实在windows下可以这么说。
但是*nux就不同了,大家都是知道的*nux操作系统是区分大小写的,这里如果换成大写后缀名*.phP一类就bypasss了

这里我说下我个人的解决方法:

复制代码代码如下:
<Directory "/var/www/upload">
<FilesMatch "(?i:.php)">
        
Read more

php源码加密

admin PHP 暂无评论 515 浏览

第一种:

<?php
function encode_file_contents($filename) {
$type=strtolower(substr(strrchr($filename,'.'),1));
if('php'==$type && is_file($filename) && is_writable($filename)){// 如果是PHP文件 并且可写 则进行压缩编码
$contents = file_get_contents($filename);// 判断文件是否已经被编码处理
$contents = php_strip_whitespace($filename);
// 去除PHP头部和尾部标识…

Read more