function IAuthVerify($pTmp)
{
$ip = getAndCheck($pTmp, 'ip');
$sig = getAndCheck($pTmp, 'sig');
$url = getAndCheck($pTmp, 'url');
$client = array('appid' => getAndCheck($pTmp, 'appid'), 'hash' => getAndCheck($pTmp, 'hash'), 'hashmethod' => getAndCheck($pTmp, 'hashmethod'), 'time' => getAndCheck($pTmp, 'time'), 'nonce' => getAndCheck($pTmp, 'nonce'), 'version' => getAndCheck($pTmp, 'version'), 'sigmethod' => getAndCheck($pTmp, 'sigmethod'), 'token' => getAndCheck($pTmp, 'token'));
$apiInfo = GetAPI($url);
$rpid = $apiInfo['owner_id'];
$api_id = $apiInfo['api_id'];
$rpSecret = GetAppInfo($rpid, 'app_secret');
$accessInfo = GetAccessInfo($client['appid'], $client['token']);
$accessSecret = $accessInfo['access_secret'];
$faile_t = $accessInfo['faile_t'];
$rights = $accessInfo['rights'];
$uid = $accessInfo['user_id'];
$appSecret = GetAppInfo($client['appid'], 'app_secret');
$secret = $appSecret . '&' . $accessSecret;
$base_str = 'POST&' . $url . '&' . CoString($client);
if ($sig != signature($base_str, $secret, $client['sigmethod'])) {
throw new IAuthException('sig not match', $base_str);
}
$client['limit_seconds'] = $apiInfo['limit_seconds'];
$client['limit_counts'] = $apiInfo['limit_counts'];
CheckReplayAttack($client, 'verify');
VerifyAccessRight($api_id, $rights);
newVerifier('verify', $client['appid'], $uid, $client['token'], date('Y-m-d H:i:s', $client['time']), $client['nonce'], $ip, $api_id);
$rpRequest = $pTmp;
$rpRequest['uid'] = $uid;
$rpSig = signature(CoString($rpRequest), $rpid . '&' . $rpSecret, 'MD5');
echo 'uid=' . $uid . '&sig=' . $rpSig;
/* echo '<br />'; */
/* echo CoString($rpRequest); */
}
}
$base_str .= rawurlencode(substr($str_tmp, 0, strlen($str_tmp) - 1));
/* 删去最后多出来的一个'&' */
/* DEBUG */
/*####################################### */
if ($DEBUG_MOD == ON) {
echo '</pre><h2>BASE STRING</h2><hr /><pre>';
echo $base_str;
}
/*####################################### */
/* DEBUG */
/*################ 检查签名 ################*/
$secret = $app_consumer_key . '&' . $app_consumer_secret;
/* $sign = hash_hmac ( "sha1", $base_str, $secret, true ); */
/* $sign = base64_encode ( $sign ); */
$sign = signature($oauth_array['oauth_signature_method'], $base_str, $secret);
/* DEBUG */
/*####################################### */
if ($DEBUG_MOD == ON) {
echo '</pre><h2>signatures</h2><hr /><pre>';
echo $sign . "\n";
echo $sig;
}
/*####################################### */
/* DEBUG */
if (strcmp($sig, $sign) != 0) {
die("签名不匹配!");
}
/*################ 检索uid ################*/
$token = $oauth_array['oauth_consumer_key'];
$nonce = $oauth_array['oauth_nonce'];
<?php
include_once 'function.php';
if (isset($_POST['username']) && isset($_POST['password'])) {
$account['username'] = $_POST['username'];
$account['password'] = $_POST['password'];
//这里处理自己服务器登录的流程
//自己服务器登录成功后向客户端下发加密的rsa串
$result = signature("1071", $account['username'], "1400001973", "1400001973", 60 * 60 * 24 * 30, "./private_key");
if ($result == null) {
$res['status'] = 500;
$res['message'] = "server error";
echo json_encode($res);
} else {
$res['status'] = 200;
$res['message'] = $result;
echo json_encode($res);
}
} else {
$res['status'] = 404;
$res['message'] = "params is not right";
echo json_encode($res);
}
function oauth_check()
{
if (!empty($_POST['noauth'])) {
return $_POST['noauth'];
}
/*################ 从Header中提取参数 ################*/
if (function_exists('apache_request_headers')) {
$headers = getallheaders();
if (empty($headers['Authorization'])) {
die('need header Authorization');
}
$oauth_params = $headers['Authorization'];
} else {
if (empty($_SERVER['HTTP_AUTHORIZATION'])) {
die('need header Authorization');
}
$oauth_params = $_SERVER['HTTP_AUTHORIZATION'];
}
$oauth_arr_tmp = explode(',', $oauth_params);
$sig = '';
$oauth_array = array();
foreach ($oauth_arr_tmp as $str_tmp) {
$pos = strpos($str_tmp, '=');
$val_tmp = rawurldecode(substr($str_tmp, $pos + 2, strlen($str_tmp) - $pos - 3));
$key_tmp = rawurldecode(substr($str_tmp, 0, $pos));
if ($key_tmp == 'oauth_signature') {
$sig = rawurldecode($val_tmp);
} else {
$oauth_array[$key_tmp] = rawurldecode($val_tmp);
}
}
//print_r($oauth_array);
/*################ 检查oauth数组中的参数是否合法 ################*/
if ($sig == '') {
die('缺少签名');
}
if (empty($oauth_array['oauth_nonce'])) {
die('缺少nonce');
}
if (empty($oauth_array['oauth_timestamp'])) {
die('缺少时间戳');
}
if (empty($oauth_array['oauth_signature_method'])) {
die('缺少签名方法');
}
if (empty($oauth_array['oauth_consumer_key'])) {
die('缺少app_key');
}
if (empty($oauth_array['oauth_version'])) {
die('缺少认证版本');
}
if (empty($oauth_array['oauth_token'])) {
die('缺少access_token');
}
/*################ 过滤1-时间戳 ################*/
$their_time = $oauth_array['oauth_timestamp'];
$now = time();
/* echo $their_time . '<br>'; */
/* echo $now . '<br>'; */
if ($their_time <= $now - 480 || $their_time >= $now + 480) {
die("时间与服务器不同步");
}
/*################ 检查oauth数组中的参数是否合法 ################*/
if (strlen($sig) <= 10) {
die('非法的签名');
}
$tobechecked = $oauth_array['oauth_consumer_key'];
if (!preg_match("/^[a-fA-F0-9]{40}\$/", $tobechecked)) {
die('非法的consumer_key');
}
$tobechecked = $oauth_array['oauth_token'];
if (!preg_match("/^[a-fA-F0-9]{40}\$/", $tobechecked)) {
die('非法的token');
}
$tobechecked = $oauth_array['oauth_nonce'];
if (!preg_match("/^[a-fA-F0-9]{16}\$/", $tobechecked)) {
die('非法的nonce');
}
/* if ($oauth_array['oauth_signature_method']!='HMAC-SHA1') die ('不支持的签名方式'); */
if ($oauth_array['oauth_version'] != '1.0') {
die('不支持的版本');
}
if ($oauth_array['oauth_signature_method'] != 'HMAC-SHA1' && $oauth_array['oauth_signature_method'] != 'MD5') {
die('不支持的签名方式');
}
/*################ 设定参数 ################*/
$method = "POST";
$url_path = 'http://' . $_SERVER['SERVER_NAME'] . $_SERVER['SCRIPT_NAME'];
$app_consumer_key = $oauth_array['oauth_consumer_key'];
$access_token = $oauth_array['oauth_token'];
/* echo $app_consumer_key . '<br />'; */
/* echo $access_token; */
$con = mysql_connect(OAUTH_DB_DOMAIN, OAUTH_DB_USER, OAUTH_DB_PASSWD);
if (!$con) {
$con = mysql_error();
}
mysql_select_db(OAUTH_DB_DB);
$sql = "SELECT user_id,app_secret,app_info.app_id,token_right,request_token,request_secret,access_secret FROM app_info,token_info WHERE app_key='{$app_consumer_key}' and access_token='{$access_token}' and app_info.app_id=token_info.app_id";
$tmp = mysql_query($sql);
echo mysql_error();
$sql_result = mysql_fetch_array($tmp);
if ($sql_result == '') {
die("应用不存在!");
}
/* print_r( $sql_result ); */
/* echo '<br />'; */
$app_consumer_secret = $sql_result['app_secret'];
$request_token = $sql_result['request_token'];
$request_secret = $sql_result['request_secret'];
//echo 'app_secret: ' . $app_consumer_secret . '<br />';
$access_secret = $sql_result['access_secret'];
$app_id = $sql_result['app_id'];
$params = array_merge($oauth_array, $_POST, $_GET);
$right = $sql_result['token_right'];
$user_id = $sql_result['user_id'];
/*################ 生成BASE String ################*/
$base_str = strtoupper($method) . '&' . rawurlencode($url_path) . '&';
ksort($params);
$str_tmp = '';
foreach ($params as $key => $val) {
$str_tmp .= "{$key}={$val}&";
}
$base_str .= rawurlencode(substr($str_tmp, 0, strlen($str_tmp) - 1));
/* 删去最后多出来的一个'&' */
//echo $base_str;
/*################ 检查签名 ################*/
$secret = $app_consumer_key . '&' . $app_consumer_secret . '&' . $request_token . '&' . $request_secret . '&' . $access_token . '&' . $access_secret;
/* $sign = hash_hmac ( "sha1", $base_str, $secret, true ); */
/* $sign = base64_encode ( $sign ); */
$sign = signature($oauth_array['oauth_signature_method'], $base_str, $secret);
/* echo $sign ."\n"; */
/* echo $sig ."\n"; */
/* echo '<br />secret on server = ' . $secret; */
/* echo '<br />'; */
if (strcmp($sig, $sign) != 0) {
die("签名不匹配!");
}
/*################ 过滤2:重放攻击 ################*/
$app_token = $oauth_array['oauth_consumer_key'];
$acc_token = $oauth_array['oauth_token'];
$nonce = $oauth_array['oauth_nonce'];
$time = $oauth_array['oauth_timestamp'];
//echo $token . '<br /><br />' . $nonce .'<br /><br />' . $time;
$sql = "SELECT app_key FROM token_nonce WHERE app_key='{$app_token}' and token='{$acc_token}' and token_type='access' and nonce='{$nonce}' and create_t='{$time}'";
$sql_tmp = mysql_query($sql);
$sql_result = mysql_fetch_array($sql_tmp);
if ($sql_result != '') {
die("重复请求!");
}
/*----------------- 记录请求以备查询重放攻击 -----------------*/
$t_stamp = date('Y-m-d H:i:s', $time);
$sql = "INSERT INTO token_nonce (app_key,token,token_type,nonce,create_t) VALUES('{$app_token}','{$acc_token}','access','{$nonce}','{$t_stamp}')";
mysql_query($sql);
mysql_close($con);
/*################ 生成数据并返回 ################*/
include_once 'api_info.php';
/* $api_nums=array( */
/* 'getallthings'=>1, */
/* 'getnotification'=>2, */
/* 'getmessages'=>3, */
/* 'getpersonmessages'=>4, */
/* 'getfriendslist'=>6, */
/* 'getuserinfo'=>7, */
/* 'getuserthings'=>8, */
/* 'getusertopics'=>9, */
/* 'getmygroups'=>10, */
/* 'gethotgroups'=>11, */
/* 'getrecommendgroups'=>12, */
/* 'gettopics'=>13, */
/* 'topicreply'=>14, */
/* 'gettherecoding'=>16, */
/* 'gettherecodingreply'=>17, */
/* 'getbloglist'=>18, */
/* 'gettheblog'=>19, */
/* 'getblogreplylist'=>20, */
/* 'gettheshare'=>24, */
/* 'getsharereplylist'=>25, */
/* 'getthetopic'=>0, */
/* 'addnews'=>31, */
/* 'addmessage'=>32, */
/* 'addblog'=>33, */
/* 'addtopic'=>34, */
/* 'addshare'=>35, */
/* 'addnewsreply'=>36, */
/* 'addblogreply'=>37, */
/* 'addtopicreply'=>38, */
/* 'addsharereply'=>39, */
/* 'deleteblog'=>40, */
/* 'deletecomment'=>41, */
/* 'deletefriend'=>0, */
/* 'deletenews'=>42, */
/* 'deletetopic'=>0 */
/* ); */
/* 以下两个函数用于将api权限信息从数据库压缩存储模式转换为可验证的模式。 */
function myhex2bin($mychar)
{
switch ($mychar) {
case '0':
return '0000';
case '1':
return '0001';
case '2':
return '0010';
case '3':
return '0011';
case '4':
return '0100';
case '5':
return '0101';
case '6':
return '0110';
case '7':
return '0111';
case '8':
return '1000';
case '9':
return '1001';
case 'a':
return '1010';
case 'b':
return '1011';
case 'c':
return '1100';
case 'd':
return '1101';
case 'e':
return '1110';
case 'f':
return '1111';
}
}
function check_right($stored_right, $api_num)
{
$tmp_str = '';
$len = strlen($stored_right);
for ($ii = 0; $ii <= $len; $ii++) {
$tmp_char = $stored_right[$ii];
$tmp_str .= myhex2bin($tmp_char);
}
if ($tmp_str[$api_num - 1] == 1) {
return true;
} else {
return false;
}
}
preg_match("/\\/do_.+\\.php\$/", $_SERVER['SCRIPT_NAME'], $match);
$api_string = substr($match[0], 4, strlen($match[0]) - 8);
$api_id = $api_nums[$api_string];
if ($api_id == null) {
die('不存在的api' . $api_string);
}
$result = check_right($right, $api_id);
if ($result == false) {
die('用户未授权,您无法使用该api');
}
return $user_id;
}
<!DOCTYPE html>
<html>
<?php
define("ME", "Learning php with the awesome boy", true);
function signature()
{
echo Me;
}
$txt1 = "Learning PHP";
print "<h2> {$txt1} </h2><br>";
//calling the define parameters
signature();
echo "<br><br>";
//Testing a static variable.
function testStatic()
{
static $m = 0;
echo "The number is {$m} ";
$m++;
}
testStatic();
echo "<br>";
testStatic();
echo "<br>";
testStatic();
echo "<br><br>";
//variables and dispaying it using a php function
$h = 797;
echo "The variable is: ";
var_dump($h);
public function auditSign()
{
if (IS_AJAX) {
$id = intval($_POST['id']);
$wid = intval($_POST['wid']);
$alpha = 30;
$source = $this->modA->where(array('audit_id' => $id))->getField('audit_file');
$source = './Uploads/' . $source;
$status = M('AuditStatus')->where(array('audit_id' => $id, 'user_id' => isLogin()))->getField('user_status');
$auth = M('AuditStatus')->where(array('audit_id' => $id, 'user_id' => isLogin()))->count();
if ($auth) {
if ($status == 1) {
echo 2;
} else {
if (signature($source, $wid, $alpha, $source)) {
M('AuditStatus')->where(array('audit_id' => $id, 'user_id' => isLogin()))->setField('user_status', 1);
echo 1;
} else {
echo 0;
}
}
} else {
echo '非法操作';
}
}
}
function VerifySignature($params, $appSecret, $sig, $sigmethod = '', $httpmethod = 'GET')
{
/*################ 检查签名 ################*/
$baseString = makeBaseString($httpmethod, $params);
if ($sigmethod == '') {
$sigmethod = $params['sigmethod'];
}
$sigTmp = signature($baseString, $appSecret, $sigmethod);
if ($sigTmp != $sig) {
throw new IAuthException('signature not match ' . $baseString);
}
}
