stackoom
  简体   繁体   中英

How to authenticate the post using curl?

 原文  2015-01-07 21:59:09       php/ curl

Question

I have two sites one is a.com another is b.com i am passing data using curl from a.com to b.com ,i am successfully able to pass data but the problem is i want to make it more secure so that site b.com responses after ensuring that the post was from site a.com.How to obtain this?

Code in site a.com 

<?php
  $some_data = array(
    'message' =--> 'Hello World',
    'name' => 'Chad'
  ); 

  $curl = curl_init();
  // You can also set the URL you want to communicate with by doing this:
  // $curl = curl_init('http://localhost/echoservice');

  // We POST the data
  curl_setopt($curl, CURLOPT_POST, 1);
  // Set the url path we want to call
  curl_setopt($curl, CURLOPT_URL, 'http://localhost/b.com'); 
  // Make it so the data coming back is put into a string
  curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
  // Insert the data
  curl_setopt($curl, CURLOPT_POSTFIELDS, $some_data);

  // You can also bunch the above commands into an array if you choose using: curl_setopt_array

  // Send the request
  $result = curl_exec($curl);
  // Free up the resources $curl is using
  curl_close($curl);

  echo $result;
?>

Code in B.com 

//I want to check here that the request was from a.com ,if it is ensured then i want to do //the rest of the work
  echo 'Your message was: ' . $_REQUEST["message"] . ' and your name is: ' . $_REQUEST["name"];
?

4 answers

solution1
 0  2015-01-07 22:02:54

You could check the $_SERVER['REFERER'] property, but it's very unreliable / unsafe.

A better approach would be to set up the B site with Basic Auth, or something similar, that you can authenticate against when you make the request from site A. Then you can add basic auth to your curl request from A to B. B checks the authentication, and if correct proceeds with the rest of the processing.

solution2
 0  2015-01-07 22:19:20

$_SERVER['REMOTE_ADDR'] would be the solution 

if($_SERVER['REMOTE_ADDR']=="IP OF A.com"){

//exec code
}else{
log_error($_SERVER['REMOTE_ADDR'] has tried to access B.com at date());//that's an ex .
}

solution3
 0  2015-01-07 22:26:25

The simplest way to achive this, would be to create a Key that site a.com know and site b.com knows.

Then you could pass the key from one server to the other via curl, and as long as know one else knows what the key is they won't be able to access it (assuming you program it that way).

This is how most API's work, such as Facebook, Twitter, Linkedin, etc.

Your post data would then look like this for example ( a.com ): 

$some_data = array(
    'message' =--> 'Hello World',
    'name' => 'Chad',
    'key' => '4h9rj8wj49tj0wgj0ejwrkw0jt0ekv0ijspxodxk9rje0rg9tskvep9rrgt9wkrgte'
);

Then on b.com you would just do this: 

if(!isset($_POST['key']) && $_POST['key'] != '4h9rj8wj49tj0wgj0ejwrkw0jt0ekv0ijspxodxk9rje0rg9tskvep9rrgt9wkrgte'){
    die("Invalid Key");
}

solution4
 0  2015-01-07 22:34:59

You can use a public/private pair system. A simple version would be like this: 

//a.com

$keys  = array(
   'publicKey1' => 'privateKey1',
   'publicKey2' => 'privateKey2',
    //...
   'ksjdlfksjdlf' => '989384kjd90903@kjskdjdsd'
);
$publicKeys = array_keys($keys);
//get a random key from pool
$publicKey  = $publicKeys[rand(0, count($publicKeys))];
$privateKey = $keys[$publicKey];

//your data...
$some_data = array(
   'message' => 'Hello World',
   'name' => 'Chad'
);     

/*generate a verification code from data...*/
//add public key to data
$some_data['key'] = $publicKey;
//sort data (to always generate same verification code regardless of params order)
uksort($some_data);

//generate code with your private key
$verificationKey = sha1($privateKey . http_build_query($some_data) . $privateKey);

//add verification code to sent data
$some_data['verification_code'] = $verificationKey;

//send data
curl_exec(...);

and on b.com: 

$keys = "same keys that exist on a.com";
if (!isset($_POST['key']) || !isset($_POST['verification_code']) || !isset($keys[$_POST['key'])) {
    //do something to handle invalid request
}

$verificationKey  = $_POST['verification_code'];    
$privateKey       = $keys[$_POST['key']];

//remove verification code from data
unset($_POST['verification_code']);
//sort data
uksort($_POST);

$checkKey = sha1($privateKey . http_build_query($_POST) . $privateKey);

//validate key
if ($checkKey != $verificationKey) {
   //handle invalid data
}

//verified. do something with $_POST

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to authenticate request using cURL in PHP How do I authenticate a POST to the Discogs API with PHP / cURL Using cURL how to post a file How to post files using cURL How to authenticate to Quickbooks Online API using CURL & PHP How to dynamically create a POST request using CURL? How to post value using CURL php function? How to post this kind of form using PHP Curl? how to POST data using Curl in php? How to post arabic text using cURL in PHP?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM