创建了我自己的PHP API
[英]Created my own PHP API
问题描述
Hello StackOverflow community 
您好StackOverflow社区
Currently I'm in small project, where a API is required. 目前,我在一个需要API的小型项目中。 I tested some SOAP WSDL and restFul API's, but none worked for me. 我测试了一些SOAP WSDL和restFul API,但没有一个对我有用。 So I created my own API. 因此,我创建了自己的API。 As I'm not a professional programer, I want to know if my API is unsafe. 由于我不是专业程序员,所以我想知道我的API是否不安全。
<?php
class API{
public function __construct(){
if($_SERVER['REQUEST_METHOD'] === 'POST'){
if(!empty($_POST)){
$data_array = array();
require_once('PreparePOST.php');
foreach($_POST as $key => $value)
array_push($data_array,array($value => $key));
echo new PreparePOST($data_array);
}else{return new Exception('No Data Requested');}
}else{return new Exception('Request not allowed');}
}
}$init = new API();
?>
Some serious validation and security stuff is done after PreparePOST($data_array); 在PreparePOST($ data_array)之后完成了一些认真的验证和安全性工作;
Eg only allowed parameters and character escaping. 例如,仅允许参数和字符转义。
Notice: This is only the POST implementation the GET implementation and an API Auth Token will be available later.
- What are you thinking? 你在想什么?
- Is this compete nonsense? 这是胡说八道吗?
- Where are possible security issues? 哪里可能存在安全问题?
- How can I improove my code? 如何改善我的代码?
Btw. 顺便说一句。 my project is a Tool, which transmits server infos from our customers (like HD capacity and backup logs) to our server, so we evaluate all server statistically. 我的项目是一个工具,可以将客户的服务器信息(例如HD容量和备份日志)传输到我们的服务器,因此我们可以对所有服务器进行统计评估。
Thanks for you advice 谢谢你的建议
KR KR
1 个解决方案
解决方案1
-1 已采纳 2017-03-23 10:08:28
As you say that the PreparePOST object does validation and security it would be ideal to share that code too to identify security issues. 正如您所说的, PreparePOST对象可以进行验证和安全性,也最好共享该代码以识别安全性问题。
One thing which springs to mind right away although not a security issue is that you should throw an Exception rather than return one. 尽管不是安全问题,但马上想到的一件事是,您应该throw Exception而不是return Exception 。 Also when you are initializing your API object you don't have any way to catch the exceptions which it may throw. 同样,在初始化API对象时,您将无法捕获它可能引发的异常。 See the try catch block which I've put below. 请参阅下面的try catch块。
Also the code isn't super readable, perhaps this would be better: 而且代码不是超级可读的,也许这样做会更好:
<?php
class API
{
public function __construct()
{
if($_SERVER['REQUEST_METHOD'] === 'POST')
{
if(!empty($_POST))
{
$data = array();
require_once('PreparePOST.php');
foreach($_POST as $key => $value)
{
array_push($data, array($value => $key));
}
echo new PreparePOST($data);
}
else
{
throw new Exception('No Data Requested');
}
}
else
{
throw new Exception('Request not allowed');
}
}
}
try
{
$init = new API();
}
catch(Exception $e)
{
//handle the exception here
echo $e->getMessage();
}
?>
Specific coding style is down to preference however to keep it readable and maintainable you should definitely make good use of whitespace. 特定的编码风格取决于偏好,但是要确保其可读性和可维护性,您一定要善用空白。 There's absolutely nothing gained by keeping code bunched together. 将代码捆绑在一起绝对不会获得任何好处。 In fact quite the opposite. 实际上恰恰相反。
I wouldn't say there's a need to call your $data variable $data_array . 我不会说需要调用$data变量$data_array 。 You can see from the code that it's an array, also separate arguments to functions with a comma and a space for readability , . 你可以从它是一个数组,还单独的参数用逗号和可读性空间函数的代码看, 。 (When calling array_push). (调用array_push时)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.