I recently was asked to create a PHP image upload script that only allowed uploads to come from an iOS application written in Objective-C. Along with the upload come with a key and id $_POST field that is used to validate the user. How could I possibly prevent third parties from attempting to upload an image?
我最近被要求创建一个PHP图像上传脚本,该脚本只允许上传来自用Objective-C编写的iOS应用程序。随着上传附带一个密钥和id $ _POST字段,用于验证用户。我怎么可能阻止第三方尝试上传图片?
1 个解决方案
#1
A static key doesn't offer much security. Somebody could just use a packet sniffer to capture the key and then use the same key in their messages.
静态密钥不提供太多安全性。有人可以使用数据包嗅探器捕获密钥,然后在其消息中使用相同的密钥。
A much more rigorous approach would be to have the server send a challenge with a random value in it. The iOS app would encrypt that value with the private key of a public/private key encryption scheme and send the result to the server. The server would then use the public key to decrypt the message and verify it.
更严格的方法是让服务器发送带有随机值的质询。 iOS应用程序将使用公钥/私钥加密方案的私钥加密该值,并将结果发送到服务器。然后,服务器将使用公钥解密消息并进行验证。
#1
A static key doesn't offer much security. Somebody could just use a packet sniffer to capture the key and then use the same key in their messages.
静态密钥不提供太多安全性。有人可以使用数据包嗅探器捕获密钥,然后在其消息中使用相同的密钥。
A much more rigorous approach would be to have the server send a challenge with a random value in it. The iOS app would encrypt that value with the private key of a public/private key encryption scheme and send the result to the server. The server would then use the public key to decrypt the message and verify it.
更严格的方法是让服务器发送带有随机值的质询。 iOS应用程序将使用公钥/私钥加密方案的私钥加密该值,并将结果发送到服务器。然后,服务器将使用公钥解密消息并进行验证。