douju6542 2014-04-11 22:43
浏览 34

使用用户名+乱码的MD5进行JSON请求有什么缺陷吗?

So let's say I have "site1.mysite.com", "site2.mysite.com", etc. I want people (developers) to access some of the data via PHP generated JSON, but I also don't want to have to set up user accounts, sign ins, blah blah blah.

I don't want it to be open for "everybody".

What I started doing was this:

Users need to add "&user=somethingigivethem" and "key=somethingelseigivethem". These are values I provide to the user.

The key is currently the MD5 hash of the "user" and something like "53CR37P$%%" so basically:

$key_validator = md5($_GET['user'].'53CR37P$%%');

if($_GET['key'] === $key_validator){ 
    //show JSON 
} else {
    //show error 
}

Are there any major flaws in doing it this way?

  • 写回答

3条回答 默认 最新

  • duanfanta6741 2014-04-11 22:50
    关注

    So basically, if Joe Developer wants access, you give him a username and a key (which is an MD5 hash of his name + your salt). Joe can then make requests to your data.

    If Joe wants to (ie. takes the time) he can probably figure out your hashing scheme just by trying different combinations of his username & salt values. And once he does, he'll know your salt and can access any other user's data.

    I guess the question is: how valuable is this data? If you don't really care if other people get access and you really just want to keep out people who aren't too motivated to get your data, then this will work.

    评论

报告相同问题?

悬赏问题

  • ¥15 神经网络预测均方误差很小 但是图像上看着差别太大
  • ¥15 Oracle中如何从clob类型截取特定字符串后面的字符
  • ¥15 想通过pywinauto自动电机应用程序按钮,但是找不到应用程序按钮信息
  • ¥15 如何在炒股软件中,爬到我想看的日k线
  • ¥15 seatunnel 怎么配置Elasticsearch
  • ¥15 PSCAD安装问题 ERROR: Visual Studio 2013, 2015, 2017 or 2019 is not found in the system.
  • ¥15 (标签-MATLAB|关键词-多址)
  • ¥15 关于#MATLAB#的问题,如何解决?(相关搜索:信噪比,系统容量)
  • ¥500 52810做蓝牙接受端
  • ¥15 基于PLC的三轴机械手程序