dongye9071 2014-05-24 17:57 采纳率: 0%
浏览 53
已采纳

使用PHP保护第三方API凭证并包含

I am writing a series of functions to interact with third-party APIs that will be included in other PHP scripts. Most of these third-party APIs use token-based authentication, so I would like to store these tokens within the function, but I’m wondering what the best practices are for preventing exploitation of those functions in the included file.

For example, in a script called ~/public_html/includes/functions.php I would define some functions that call a public API using cURL, and then return some sort of response from the API. Then, within my app, I would include ~/public_html/includes/functions.php and call the functions to interact with the third-party APIs.

My concern is what if someone else includes http://www.example.com/includes/functions.php in their script, and starts calling my functions to make API calls using my credentials? Should functions.php live somewhere else, perhaps outside of the ~/public_html dir? Or perhaps I can use UNIX permissions to prevent anyone but my own apps to include the functions.php script?

  • 写回答

1条回答 默认 最新

  • doutang7383 2014-05-24 18:14
    关注

    My concern is what if someone else includes http://www.example.com/includes/functions.php in their script, and starts calling my functions to make API calls using my credentials? Should functions.php live somewhere else, perhaps outside of the ~/public_html dir? Or perhaps I can use UNIX permissions to prevent anyone but my own apps to include the functions.php script?

    You are mixing up a lot of things here. And the long story short: You should not worry. I gave a full explanation on how include works with URLs in this answer. Below is a summary for your purposes.

    Specifically, while one could use include to include full URLs like include('http://www.google.com/'); the only thing you get from that include is the final rendered content of the page. 100% none of the functions, classes, variables, strings, constants or anything contained in the internals of that PHP code. Or as very clearly explained in the PHP documentation you are linking to; emphasis mine:

    If "URL include wrappers" are enabled in PHP, you can specify the file to be included using a URL (via HTTP or other supported wrapper - see Supported Protocols and Wrappers for a list of protocols) instead of a local pathname. If the target server interprets the target file as PHP code, variables may be passed to the included file using a URL request string as used with HTTP GET. This is not strictly speaking the same thing as including the file and having it inherit the parent file's variable scope; the script is actually being run on the remote server and the result is then being included into the local script.

    So you cannot include credentials remotely—or any PHP internals—in the way you describe. The only way that could happen is if ~/public_html/includes/functions.php were included locally. That is when PHP internals are exposed.

    Or the better way to understand this: When you request a PHP file via http:// or https:// it is parsed & processed via the PHP module in Apache. So it only returns the final product—if any—post often conveyed by an echo statement.

    But when you include a file via the local file system it is not parsed by the PHP module in Apache. It is simply raw code. And that is how you can use the functions, classes, variables, strings, constants and anything contained in the internals of that PHP code.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 HFSS 中的 H 场图与 MATLAB 中绘制的 B1 场 部分对应不上
  • ¥15 如何在scanpy上做差异基因和通路富集?
  • ¥20 关于#硬件工程#的问题,请各位专家解答!
  • ¥15 关于#matlab#的问题:期望的系统闭环传递函数为G(s)=wn^2/s^2+2¢wn+wn^2阻尼系数¢=0.707,使系统具有较小的超调量
  • ¥15 FLUENT如何实现在堆积颗粒的上表面加载高斯热源
  • ¥30 截图中的mathematics程序转换成matlab
  • ¥15 动力学代码报错,维度不匹配
  • ¥15 Power query添加列问题
  • ¥50 Kubernetes&Fission&Eleasticsearch
  • ¥15 報錯:Person is not mapped,如何解決?