dp0518 2019-04-18 16:04
浏览 95

安全问题 ? 使用AJAX和PHP SLIM API进行身份验证

I'm making a new PhoneGap application, in which, I like to use AJAX for making an authenticated request to my server. For example, I want to see a statement of a customer. And I'm thinking about how to do authentication and retrieving data.

Server: PHP, MYSQL, SLIM FRAMEWORK In that, I've an endpoint called info.php

App: AJAX REQUEST, made from data saved from localStorage

Server Scrypt:

    use \Psr\Http\Message\ServerRequestInterface as Request;
use \Psr\Http\Message\ResponseInterface as Response;

require 'vendor/autoload.php';


$app = new \Slim\App;
$app->get('/hello/{name}', function (Request $request, Response $response, array $args) {
    $name = $args['name'];
    $response->getBody()->write("Hello, $name");

    return $response;
});



$app->post('/aggiungi/{name}/{sur}', function (Request $request, Response $response, array $args) {
    $this->logger->addInfo("Ticket list");

    $name = $args['name'];
    $sur = $args['sur'];
    $mo = $name + $sur;

    $response->getBody()->write("Hello, ".$mo);
$headers = $request->getHeaders();
$username = $headers['PHP_AUTH_USER'][0];
$password = $headers['PHP_AUTH_PW'][0];

$user = '';
$pass = 'mypwd';
try {
    $dbh = new PDO('mysql:host=localhost;dbname=myserver', $user, $pass);
} catch (PDOException $e) {
    print "Error!: " . $e->getMessage() . "<br/>";
    die();
}
           $uname = $username;
          $stmt = $dbh->prepare("MYQUERY");                
          $stmt->execute(array(':uname'=>$uname));      
          $userRow=$stmt->fetch(PDO::FETCH_ASSOC);
          if($stmt->rowCount() > 0)
          {
             if(password_verify($password, $userRow['password'])){      

           // AUTHENTICATED GO ON;
                $a =  "yes";          }  else   {  
                                $a = "no";
                                header("HTTP/1.1 401 Unauthorized");
                                 exit;
                }
                } else { 
                                header("HTTP/1.1 401 Unauthorized");
                                 exit;
                                 $a = "no";
                }



return "other stuff";

});

This endpoint check if in the database exits the user and the password is right. This is how i make AJAX request

var username = localStorage.username;
var password = localStorage.password;

beforeSend: function (xhr) {
        xhr.setRequestHeader ("Authorization", "Basic " + btoa(username + ":" + password));
    },

Then, I would know if it is secure and if you can give me an advice on how to work.

  • 写回答

0条回答 默认 最新

    报告相同问题?

    悬赏问题

    • ¥15 程序不包含适用于入口点的静态Main方法
    • ¥15 素材场景中光线烘焙后灯光失效
    • ¥15 请教一下各位,为什么我这个没有实现模拟点击
    • ¥15 执行 virtuoso 命令后,界面没有,cadence 启动不起来
    • ¥50 comfyui下连接animatediff节点生成视频质量非常差的原因
    • ¥20 有关区间dp的问题求解
    • ¥15 多电路系统共用电源的串扰问题
    • ¥15 slam rangenet++配置
    • ¥15 有没有研究水声通信方面的帮我改俩matlab代码
    • ¥15 ubuntu子系统密码忘记