dp0518 2019-04-18 16:04
浏览 95

安全问题 ? 使用AJAX和PHP SLIM API进行身份验证

I'm making a new PhoneGap application, in which, I like to use AJAX for making an authenticated request to my server. For example, I want to see a statement of a customer. And I'm thinking about how to do authentication and retrieving data.

Server: PHP, MYSQL, SLIM FRAMEWORK In that, I've an endpoint called info.php

App: AJAX REQUEST, made from data saved from localStorage

Server Scrypt:

    use \Psr\Http\Message\ServerRequestInterface as Request;
use \Psr\Http\Message\ResponseInterface as Response;

require 'vendor/autoload.php';


$app = new \Slim\App;
$app->get('/hello/{name}', function (Request $request, Response $response, array $args) {
    $name = $args['name'];
    $response->getBody()->write("Hello, $name");

    return $response;
});



$app->post('/aggiungi/{name}/{sur}', function (Request $request, Response $response, array $args) {
    $this->logger->addInfo("Ticket list");

    $name = $args['name'];
    $sur = $args['sur'];
    $mo = $name + $sur;

    $response->getBody()->write("Hello, ".$mo);
$headers = $request->getHeaders();
$username = $headers['PHP_AUTH_USER'][0];
$password = $headers['PHP_AUTH_PW'][0];

$user = '';
$pass = 'mypwd';
try {
    $dbh = new PDO('mysql:host=localhost;dbname=myserver', $user, $pass);
} catch (PDOException $e) {
    print "Error!: " . $e->getMessage() . "<br/>";
    die();
}
           $uname = $username;
          $stmt = $dbh->prepare("MYQUERY");                
          $stmt->execute(array(':uname'=>$uname));      
          $userRow=$stmt->fetch(PDO::FETCH_ASSOC);
          if($stmt->rowCount() > 0)
          {
             if(password_verify($password, $userRow['password'])){      

           // AUTHENTICATED GO ON;
                $a =  "yes";          }  else   {  
                                $a = "no";
                                header("HTTP/1.1 401 Unauthorized");
                                 exit;
                }
                } else { 
                                header("HTTP/1.1 401 Unauthorized");
                                 exit;
                                 $a = "no";
                }



return "other stuff";

});

This endpoint check if in the database exits the user and the password is right. This is how i make AJAX request

var username = localStorage.username;
var password = localStorage.password;

beforeSend: function (xhr) {
        xhr.setRequestHeader ("Authorization", "Basic " + btoa(username + ":" + password));
    },

Then, I would know if it is secure and if you can give me an advice on how to work.

  • 写回答

0条回答

    报告相同问题?

    悬赏问题

    • ¥15 oracle集群安装出bug
    • ¥15 关于#python#的问题:自动化测试
    • ¥20 问题请教!vue项目关于Nginx配置nonce安全策略的问题
    • ¥15 教务系统账号被盗号如何追溯设备
    • ¥20 delta降尺度方法,未来数据怎么降尺度
    • ¥15 c# 使用NPOI快速将datatable数据导入excel中指定sheet,要求快速高效
    • ¥15 再不同版本的系统上,TCP传输速度不一致
    • ¥15 高德地图2.0 版本点聚合中Marker的位置无法实时更新,如何解决呢?
    • ¥15 DIFY API Endpoint 问题。
    • ¥20 sub地址DHCP问题