在项目开发中,需要对url传递的参数进行加密解密,如:?m=Surveyor&a=applyAgencyInfo&act=showAgency&pro_id=47
&pro_types=1中的pro_id=47牵涉修改、删除、增加等权限的操作,如果作为明文传递,存在很大的安全隐患。那么有哪些方式来对url传递的参数进行安全过滤呢?
在读取mysql数据表时,将对应的id直接加密输出:
public function getProject()
{
global $db, $res;
dbc();
@$p = $_GET['page'] == "" ? 1 : $_GET['page'];
@$pagesize = $_GET['limit'] == "" ? 15 : $_GET['limit'];
@$limit = ($p - 1) * $pagesize;
//用户ID解密
$user_id = AuthCode($_COOKIE['user_id'], 'DECODE', 'LOCKDATAV', '');
$sql = "select pro_id,user_id,pro_types,pro_name,pro_serial,pro_category,pro_condition,pro_audit,pro_declarant FROM " . $db->table('project') . " WHERE user_id =" . $user_id;
$sql .= " ORDER BY pro_id DESC LIMIT " . $limit . "," . $pagesize;
$row = $db->queryall($sql);
//获取总记录;
$sql_c = "select pro_id FROM " . $db->table('project') . " WHERE user_id =" . $user_id;
$sql_c .= " ORDER BY pro_id DESC";
$row_c = $db->queryall($sql_c);
//项目pro_id加密
foreach ($row as $k => $v) {
$row[$k]['dpro_id'] = lockAuth($v['pro_id'], 'LOCKDATAV', '');
}
/*信息输出*/
$res['code'] = 0;
$res['msg'] = 0;
$res['count'] = count($row_c);
$res["data"] = $row;
die(json_encode_lockdata($res));
}
//项目pro_id加密
foreach ($row as $k => $v) {
$row[$k]['dpro_id'] = lockAuth($v['pro_id'], 'LOCKDATAV', '');
}
/*项目加密*/
function lockAuth($tex, $key, $type = "encode")
{
$chrArr = array('a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z',
'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z',
'0', '1', '2', '3', '4', '5', '6', '7', '8', '9');
if ($type == "decode") {
if (strlen($tex) < 14) return false;
$verity_str = substr($tex, 0, 8);
$tex = substr($tex, 8);
if ($verity_str != substr(md5($tex), 0, 8)) {
//完整性验证失败
return false;
}
}
$key_b = $type == "decode" ? substr($tex, 0, 6) : $chrArr[rand() % 62] . $chrArr[rand() % 62] . $chrArr[rand() % 62] . $chrArr[rand() % 62] . $chrArr[rand() % 62] . $chrArr[rand() % 62];
$rand_key = $key_b . $key;
$rand_key = md5($rand_key);
$tex = $type == "decode" ? base64_decode(substr($tex, 6)) : $tex;
$texlen = strlen($tex);
$reslutstr = "";
for ($i = 0; $i < $texlen; $i++) {
$reslutstr .= $tex{$i} ^ $rand_key{$i % 32};
}
//加密
if ($type != "decode") {
$reslutstr = trim($key_b . base64_encode($reslutstr), "==");
$reslutstr = substr(md5($reslutstr), 0, 8) . $reslutstr;
}
return $reslutstr;
}
如:&act=showAgency&pro_id=47&token=92208612f2dae1b7f43ad8121b9f74e6
其中token的加密方式为pro_id,key动态加密即可。
/*
* $id,需要加密的字符串
* $key,加密密钥
* */
function getToken($id, $key)
{
return md5($id . $key);
}
在获取id的页面进行验证即可。
@漏刻有时