dp0518 2019-04-18 16:04
浏览 95

安全问题 ? 使用AJAX和PHP SLIM API进行身份验证

I'm making a new PhoneGap application, in which, I like to use AJAX for making an authenticated request to my server. For example, I want to see a statement of a customer. And I'm thinking about how to do authentication and retrieving data.

Server: PHP, MYSQL, SLIM FRAMEWORK In that, I've an endpoint called info.php

App: AJAX REQUEST, made from data saved from localStorage

Server Scrypt:

    use \Psr\Http\Message\ServerRequestInterface as Request;
use \Psr\Http\Message\ResponseInterface as Response;

require 'vendor/autoload.php';


$app = new \Slim\App;
$app->get('/hello/{name}', function (Request $request, Response $response, array $args) {
    $name = $args['name'];
    $response->getBody()->write("Hello, $name");

    return $response;
});



$app->post('/aggiungi/{name}/{sur}', function (Request $request, Response $response, array $args) {
    $this->logger->addInfo("Ticket list");

    $name = $args['name'];
    $sur = $args['sur'];
    $mo = $name + $sur;

    $response->getBody()->write("Hello, ".$mo);
$headers = $request->getHeaders();
$username = $headers['PHP_AUTH_USER'][0];
$password = $headers['PHP_AUTH_PW'][0];

$user = '';
$pass = 'mypwd';
try {
    $dbh = new PDO('mysql:host=localhost;dbname=myserver', $user, $pass);
} catch (PDOException $e) {
    print "Error!: " . $e->getMessage() . "<br/>";
    die();
}
           $uname = $username;
          $stmt = $dbh->prepare("MYQUERY");                
          $stmt->execute(array(':uname'=>$uname));      
          $userRow=$stmt->fetch(PDO::FETCH_ASSOC);
          if($stmt->rowCount() > 0)
          {
             if(password_verify($password, $userRow['password'])){      

           // AUTHENTICATED GO ON;
                $a =  "yes";          }  else   {  
                                $a = "no";
                                header("HTTP/1.1 401 Unauthorized");
                                 exit;
                }
                } else { 
                                header("HTTP/1.1 401 Unauthorized");
                                 exit;
                                 $a = "no";
                }



return "other stuff";

});

This endpoint check if in the database exits the user and the password is right. This is how i make AJAX request

var username = localStorage.username;
var password = localStorage.password;

beforeSend: function (xhr) {
        xhr.setRequestHeader ("Authorization", "Basic " + btoa(username + ":" + password));
    },

Then, I would know if it is secure and if you can give me an advice on how to work.

  • 写回答

0条回答 默认 最新

    报告相同问题?

    悬赏问题

    • ¥60 更换迈创SOL6M4AE卡的时候,驱动要重新装才能使用,怎么解决?
    • ¥15 让node服务器有自动加载文件的功能
    • ¥15 jmeter脚本回放有的是对的有的是错的
    • ¥15 r语言蛋白组学相关问题
    • ¥15 Python时间序列如何拟合疏系数模型
    • ¥15 求学软件的前人们指明方向🥺
    • ¥50 如何增强飞上天的树莓派的热点信号强度,以使得笔记本可以在地面实现远程桌面连接
    • ¥20 双层网络上信息-疾病传播
    • ¥50 paddlepaddle pinn
    • ¥20 idea运行测试代码报错问题