遮盖AmCharts外部数据URL
[英]Obscuring AmCharts External Data URL
问题描述
I am using AmCharts Wordpress plugin to generate graphs on a Wordpress page. 
我正在使用AmCharts Wordpress插件在Wordpress页面上生成图形。 To have the graph load its shape and (external) data, AmCharts uses Javascript to load on the client side when generating the graph. 为了使图形加载其形状和(外部)数据,AmCharts在生成图形时使用Javascript在客户端加载。 However, this javascript also contains the URL to the API used to retrieve the external data. 但是,此javascript还包含用于检索外部数据的API的URL。
This means that anyone can easily view the web site source code and see this link. 这意味着任何人都可以轻松查看网站源代码并查看此链接。 This is a risk as anybody can now manipulate the URL and download our full database with data. 这是一种风险,因为任何人现在都可以操纵URL并下载我们的完整数据库和数据。
I have added the first part of the JavaScript code below. 我在下面添加了JavaScript代码的第一部分。 the URL part I like to obscure is https://api.xxxxxxx.com/ 我想遮掩的网址部分是https://api.xxxxxxx.com/
Any way this is possible? 有什么可能吗? What options are available? 有哪些选项可用?
Thanks for any help! 谢谢你的帮助!
try {
// Themes begin
var chart = am4core.create("amchart1", am4charts.XYChart);
var from = Math.round(+new Date() / 1000) – 2629743;
var to = Math.round(+new Date() / 1000) + 2629743;
chart.dataSource.url = 'https://api.xxxxxxx.com/' + from + '/' + to;
chart.dataSource.events.on(“parseended”, function(ev) {
// parsed data is assigned to data source's data property
var data = ev.target.data;
for (var i = 0; i < data.length; i++) {
if(data[i]["realtime_value"] == 0)
delete data[i]["realtime_value"];
}
console.log(‘data’, data);
});
// create date axis
...
2 个解决方案
解决方案1
1 2019-03-09 06:37:39
I'm not familiar with the WordPress plugin or how it works, so all of this is completely neglecting the WP plugin. 我不熟悉WordPress插件或其工作方式,因此所有这些都完全忽略了WP插件。
My first thought is to grab the data server side and dish out it out on page load. 我的第一个想法是抓住数据服务器端并在页面加载时将其抛出。 This way the API url is obfuscated and the user is saved another HTTP call as the data is already present on the page. 这样,API URL会被混淆,并且由于页面上已经存在数据,因此可以为用户保存另一个HTTP调用。
If that is not an option, instead of providing the API call directly, create a script on your server that functions as a reverse proxy to the API. 如果这不是一个选择,那么可以直接在服务器上创建一个脚本作为API的反向代理,而不必直接提供API调用。 Your clientside calls will get the URL to your server and it's up to you how you want to secure it to whatever extent. 您的客户端调用将获得指向服务器的URL,并且由您决定如何在任意程度上保护它。
Eg chart.dataSource.url = 'https://your.site/reverse-proxy/' + from + '/' + to; 例如chart.dataSource.url = 'https://your.site/reverse-proxy/' + from + '/' + to; . 。 Then at https://your.site/reverse-proxy/ you check and clean the from & to inputs, grab the data from 'https://api.xxxxxxx.com/' + from + '/' + to (eg via curl ), and send it back to the client with appropriate eg JSON headers. 然后在https://your.site/reverse-proxy/检查并清理from和to输入,从'https://api.xxxxxxx.com/' + from + '/' + to (例如通过curl ),并使用适当的例如JSON标头将其发送回客户端。
Any of these ideas work for you? 这些想法对您有用吗?
解决方案2
1 2019-03-14 08:33:27
Thanks all for your help. 感谢你的帮助。 Appreciated. 赞赏。 In the end it seems that the only real safe option is to retrieve it first Fetch your data from a DB table using a SELECT query, then create an array that you can JSON-encode in an amCharts compatible format. 最后,似乎唯一真正安全的选择是首先检索它,然后使用SELECT查询从数据库表中获取数据,然后创建一个数组,以amCharts兼容格式对JSON编码。 Might be as simple as this: 可能像这样简单:
<script>
<?php
$sth = mysqli_query("SELECT ...");
$rows = array();
while($r = mysqli_fetch_assoc($sth)) {
$rows[] = $r;
}
print "var data = " . json_encode($rows) . ";";
?>
console.log('data from server', data);
</script>
Your actual output should then look like this: 然后,您的实际输出应如下所示:
<script>
var data = [{
"category": "1",
"value": 5
}, {
"category": "4",
"value": 10
}];
console.log('data from server', data);
</script>
All your users will see in the source code is this JSON array. 您的所有用户在源代码中都将看到此JSON数组。 No URLs, no server details. 没有URL,没有服务器详细信息。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.