PHP使用MD5保护$ _GET函数

I'm using a $_GET function in php to perform functions for my Java server.

The website is similar to this: http://api.somewebsite.com/perform/function.php?authkey1=randomMD5&authkey2=randomMD5&parameters=something

Where the variables authkey1 and authkey2 represent a randomly generated MD5. The PHP script does connect to MySQL, and I've already prevented injection. However, before anything else gets parsed by the code, the URL has to include those 2 authkeys or else they get a message saying, "Improper authentication".

Here's an example of what my code does:

// Security key check
$key1 = "skghlskfhgj42u6928749856478937683471095sndgfnsvnrandom";
$key2 = "dbnksgh794ytowhjklgn934ngmsnnmlrj9096345u075u80375ngsr";

$g_key1 = $_GET['authkey1'];
$g_key2 = $_GET['authkey2'];

if (empty($g_key1) || empty($g_key2)) {
die("Improper authorization");
}

if ($g_key1 != $key1 || $g_key2 != $key2) {
die("Improper authorization");
}

// If authentication passes, move on to other functions

Is this method secure or not? Thanks!

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

2条回答默认最新

关注

码龄粉丝数原力等级 --

被采纳

被点赞

采纳率
doulingzhuang3079 2013-12-24 16:03
关注
No, that method is not secure, but rather "security by obscurity".

First and most important, use TLS/SSL. Second, find a 3rd party library to handle request authentication for you. I couldn't find one that did what I needed, so I put one together myself.

The library is called Query Auth and I wrote it to handle this exact use case. It's a generic implementation of the Signature Version 2 implementation from the AWS SDK for PHP 2. It handles API key and API secret generation, signature creation and validation, and can optionally protect against replay attacks. Documentation and an example implementation are available.

解决无用
评论打赏
分享
举报

评论

按下Enter换行，Ctrl+Enter发表内容

报告相同问题？

关注问题

求解释一下这段php代码 php
2017-06-20 00:12

回答 3 已采纳你好，意思是，COOKIE信息是md5是加密后的字符串，$secret.urldecode(...)中那个点是字符串拼接
Laravel 5登录问题与第二个哈希函数 php
2015-05-19 15:11

回答 1 已采纳 If your intention is to add extra security, there are better ways to improve the scheme, they woul
$ .getJSON函数不能与php json_encoded数组一起使用 jquery json php
2012-08-24 19:26

回答 1 已采纳 Assuming the json is retrieved properly and processed by jquery, then it's just another javascript
php的md5函数漏洞,PHP中MD5函数漏洞
2021-04-28 07:36

意呆的博客题目描述一个网页，不妨设URL为http://haha.com，打开之后是这样的if (isset($_GET['a']) and isset($_GET...= $_GET['b']) {if (md5($_GET['a']) === md5($_GET['b'])) {echo ('Flag: '.$flag);}else {echo 'Wrong....
如果登录成功，我如何使用header（）函数重定向到索引？ php
2019-04-21 19:40

回答 1 已采纳 You echoed, before the redirect header, that's why you're getting that message. What you want to a
我可以使用函数md5_file在上传时命名文件而不会与名称冲突吗？ php
2014-04-13 09:04

回答 4 已采纳 Well, of course you can do this, in fact this is the way I use to avoid file duplications (and I m
如何使用php函数在标签上显示数据库内的数据 html5 php
2016-09-02 21:49

回答 1 已采纳 Ok, i found it. // Strings can be passed individually as multiple arguments echo 'This ', 'string
MD5 函数的绕过
2022-04-08 20:48

菜菜zhao的博客 1. MD5函数漏洞 $_GET['a'] != $_GET['b'] && MD5($_GET['a']) == MD5($_GET['b']) 要让上面的等式成立，a和b的值不能相等，但是md5后的值相等。因为是==比较，只判断值是否相等，不判断类型是否相同。...
在PHP中向RESTlet发送GET请求时NetSuite“INVALID_LOGIN错误” php
2019-04-04 21:13

回答 1 已采纳 Adding the id parameter to the base string after the deploy ID resolved the issue. I was adding it
为我的所有类实现/扩展/继承/ ...相同的__get和__set函数 php
2011-06-22 22:38

回答 3 已采纳 If I understand you correctly you would like to automate the handing of the property array within
插入表 - 错误：调用本机函数'md5'时参数计数不正确 mysql php
2013-01-30 12:22

回答 3 已采纳 Problem is here : $sql = 'INSERT INTO users (user_email, user_name, user_password)
php的md5函数漏洞,sha1和md5函数漏洞
2021-04-28 07:36

weixin_39805539的博客 sha1函数和md5函数比较绕过在CTF比赛中经常遇到利用sha1()和md5()函数漏洞的题，先看一段代码：123456789101112
如何从wordpress中的自定义网关中的process_payment函数进行重定向？ php
2016-07-05 00:00

回答 2 已采纳 using pur javascript you can achieve this goal. Instead of using this code <script type="text/
MD5&sha1绕过
2023-02-07 21:44

slawgut的博客 md5绕过 sha1绕过 fastcoll
CTF中常见php-MD5()函数漏洞
2018-10-11 20:21

Felix_zc的博客 CTF中常见php-MD5()函数漏洞 1.数字与字符串之间的比较 var_dump( 0 == "a" ); var_dump( "0" == "a" ); 第一个返回的是 true ，第二个返回的是 false 因为php把字母开头的转化为...
没有解决我的问题, 去提问

悬赏问题

¥15 基于卷积神经网络的声纹识别
¥15 Python中的request，如何使用ssr节点，通过代理requests网页。本人在泰国，需要用大陆ip才能玩网页游戏，合法合规。
¥100 为什么这个恒流源电路不能恒流？
¥15 有偿求跨组件数据流路径图
¥15 写一个方法checkPerson，入参实体类Person，出参布尔值
¥15 我想咨询一下路面纹理三维点云数据处理的一些问题，上传的坐标文件里是怎么对无序点进行编号的，以及xy坐标在处理的时候是进行整体模型分片处理的吗
¥15 CSAPPattacklab
¥15 一直显示正在等待HID—ISP
¥15 Python turtle 画图
¥15 stm32开发clion时遇到的编译问题

PHP使用MD5保护$ _GET函数

2条回答 默认 最新

悬赏问题

2条回答默认最新