Active and passive in php language flow control

  • 2020-05-27 04:28:55
  • OfStack

This year, the general phper are hard work, such as taobao revised, cloud computing, tencent open platform, online games, the achievement of these works without phper, believe php language can continue to leading industry for 10 years, we look forward to the next 50 years, in 100, all-powerful php still so. We are all small part 1, in addition to php, other are not fine, difficult to live. Please make efforts to everyone.

What is active and passive. For example, you ask to raise ran boss office, this is active, whether it is from your own perspective, or boss perspective, you are active, 1 face is positive. If boss let you go to the office, and then let you put the taobao architecture come out, give you 20% higher wages, this is called passive. Believe promise you passive. Active and passive simple to understand, just like that. And program process will encounter such embarrassment of active and passive problem. We see the sample.

A clier
When buy qq purchase is successful, notify QQ master server. Via http protocol.
file_get_contents(' & orderid=12345 & pay=888 &');

The code runs on, which is understood to be safe, but what is the truth? If someone distributed this interface, the consequences would be inscrutable. Anyone could forge an order and implant it into matter how you restrict access, check the data.10,000 steps back is dangerous for the person who wrote the code. This will require a change from passive (qq. com) initiative. http: / / www qq. com/api php? add_saleinfo=buy_qq is modified to no longer receive any order information, but the token value. After receiving the token value, the interface will call back the buy.qq query interface, and then put it into storage. It's about actively analyzing, thinking about warehousing.

Same, taobao guest players also have this problem. Such as previously reported pid value part of the browser to modify a web page, let users losses. This is the result of the passive. php reads, php request taobao api interface, receive the commodity information, commodity purchase link, in the purchase link to webmaster is turned into a passive. href this link directly on the page the user is likely to be collected, modified by browser pid. Next, you are know, Late pid represent money. Someone had thought of this problem, take the practice of the passive become active, prevent bug. Is to link does not directly show goods, and through a php modification. The user see url similar: www. qq. com/tao/buy php? sid=aaaa333 sid is definitely not the value of pid. All the work is carried by buy.php, who takes the initiative to undertake the analysis and safety testing.

QQ Internet 2.0 has been widely used on Internet sites. How can, which is the core of user data, ensure user safety? While ensuring the speed of access, security should also be improved. The current process of login for QQ is as follows: First by the appid appkey callbackurl combined into one string of link, and then jump to qq. com. That is why many sites accessed directly qqlogin. php can jump to qq login page, because these parameters are fixed, security. Still can be. The login process is still in qq com, this is the single sign-on phper has often talked about. After a successful login will jump straight to callbackurl page, callbackurl at this time the information is still not enough to prove that the user login successful, just got token value, so enter the step 2, use token value to qq api openid query user interface, complete the login. So, QQ is active, the query result is not a simple one is successful or not, but the corresponding parameters and prompt information, no matter how late, can be compatible. Tencent holds the initiative, This is very important for enterprises with hundreds of millions of users. Internal security also includes domain name corresponding to appid, token expiration check and ip restriction.

Many such examples, paypal, alipay, are similar to the truth.

Related articles: