安全问题 ? 使用AJAX和PHP SLIM API进行身份验证

I'm making a new PhoneGap application, in which, I like to use AJAX for making an authenticated request to my server. For example, I want to see a statement of a customer. And I'm thinking about how to do authentication and retrieving data.

Server: PHP, MYSQL, SLIM FRAMEWORK In that, I've an endpoint called info.php

App: AJAX REQUEST, made from data saved from localStorage

Server Scrypt:

    use \Psr\Http\Message\ServerRequestInterface as Request;
use \Psr\Http\Message\ResponseInterface as Response;

require 'vendor/autoload.php';


$app = new \Slim\App;
$app->get('/hello/{name}', function (Request $request, Response $response, array $args) {
    $name = $args['name'];
    $response->getBody()->write("Hello, $name");

    return $response;
});



$app->post('/aggiungi/{name}/{sur}', function (Request $request, Response $response, array $args) {
    $this->logger->addInfo("Ticket list");

    $name = $args['name'];
    $sur = $args['sur'];
    $mo = $name + $sur;

    $response->getBody()->write("Hello, ".$mo);
$headers = $request->getHeaders();
$username = $headers['PHP_AUTH_USER'][0];
$password = $headers['PHP_AUTH_PW'][0];

$user = '';
$pass = 'mypwd';
try {
    $dbh = new PDO('mysql:host=localhost;dbname=myserver', $user, $pass);
} catch (PDOException $e) {
    print "Error!: " . $e->getMessage() . "<br/>";
    die();
}
           $uname = $username;
          $stmt = $dbh->prepare("MYQUERY");                
          $stmt->execute(array(':uname'=>$uname));      
          $userRow=$stmt->fetch(PDO::FETCH_ASSOC);
          if($stmt->rowCount() > 0)
          {
             if(password_verify($password, $userRow['password'])){      

           // AUTHENTICATED GO ON;
                $a =  "yes";          }  else   {  
                                $a = "no";
                                header("HTTP/1.1 401 Unauthorized");
                                 exit;
                }
                } else { 
                                header("HTTP/1.1 401 Unauthorized");
                                 exit;
                                 $a = "no";
                }



return "other stuff";

});

This endpoint check if in the database exits the user and the password is right. This is how i make AJAX request

var username = localStorage.username;
var password = localStorage.password;

beforeSend: function (xhr) {
        xhr.setRequestHeader ("Authorization", "Basic " + btoa(username + ":" + password));
    },

Then, I would know if it is secure and if you can give me an advice on how to work.

doubeng9407
doubeng9407 SO的工作代码不是主题。您可以在codereview.stackexchange.com上询问,但请务必在发布之前阅读有关主题的问题。
一年多之前 回复
Csdn user default icon
上传中...
上传图片
插入图片
抄袭、复制答案,以达到刷声望分或其他目的的行为,在CSDN问答是严格禁止的,一经发现立刻封号。是时候展现真正的技术了!
立即提问