Reputation: 5063
random key generator with validity check
What if i want to add an option to my website like API !
when anyone call my.site.dot.com/api.php?id=name it will add the name to my database
but i'm getting a lot of spam entries so i've been thinking about using a key !
so it would be like my.site.dot.com/api.php?id=name&key=MMSDJJSHHHAG
if the key is right then it echo "passed"; and if wrong then echo "stopped";
Now my question I want any function that can generate random key either of letters or numbers or both whatever.
but the bottom line is it must be also able to know its keys WHY ! cause when someone call my.site.dot.com/api.php?id=name&key=MMSDJJSHHHAG it become able to know that MMSDJJSHHHAG is valid key.
my.site.dot.com/api.php?id=name&key=MMSDJJSHHHAG
<?PHP
echo $id; //name
echo $key; //MMSDJJSHHHAG
if ( key is valid ) {
echo "passed";
} else {
echo "stopped";
}
?>
I know there some other ideas like every time i generate new key to store it in text file or in database table...etc and that are good ideas but i'll generate it upon viewing an page so someone can makes billions of refresh making site down :(
I'm thinking of math equations !! any help about this idea ~ thanks a lot
Upvotes: 1
Views: 302
Answers (2)
Reputation: 11968
If the keys aren't unique to users, then generating a key by any pattern is simply security through obscurity. If someone is already spamming your API, logic would dictate that they have observed the URLs that your application uses and they are already calling them blindly (or intentionally). If you attach a non-unique pattern-generated key, then the observer will simply snoop that URL and spam it as well, unless the key is passed server side in which case any key will do.
Bottom line is you want to stop spam you need to use a real authentication method.
Upvotes: 1
Reputation: 10356
You can use hasing/encrypting methods to generate this key you're talking about. (md5 for instance).
Notice that in order to use API in most webservices you need to have an account, those services matches a key to an account.
So basicly you have a key for each account (not for each action or refresh), add another field to your api members' table named "api_key" and you are ready to go.
Relating to your problem , you can also add another field , for instance "site_url",
your api.php file will check the "source" of the request.
If the KEY and the SOURCE of the request exists for one account it will do what it need to do , otherwise die() or something like this.
Upvotes: 1
Related Questions
- How to generate unique secure random string in PHP?
- Secure random number generation in PHP
- What is the best way to generate a random key within PHP?
- Generate a Unique Key
- easiest way to generate an unique and random key
- php unique random number that is not in mysql table- check and then generate
- Create keys randomly with PHP
- Can i trust on a key generation process without check for duplicates?
- random number generator in php
- PHP - random with current keys