Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
L
L
lokubicuv2016-10-30 20:05:01
PHP
lokubicuv, 2016-10-30 20:05:01

How to check that the data is not forged (API VKontakte)?

VK recently included community apps. An iframe opens with parameters, but how do you know that the parameters are genuine, and not the user wrote it himself? VK offers the following solution:

$sign = ""; 

foreach ($request->getParams() as $key => $param) { 

    if ($key == 'hash' || $key == 'sign') continue; 

    $sign .=$param; 

} 

$secret = 'SECRET_KEY'; 

$sig = $secret ? hash_hmac('sha256', $sign, $secret) : "";

So what? I get sha256 in $sig, what should I do next? Here is the documentation

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

3 answer(s)
Report
M
murlogen, 2016-10-30
@murlogen

Count inside (on the server), compare with what you get from the user.
Of course it must match.

Report
P
Petr Flaks, 2016-10-30
@neluzhin

This is called a "digital signature". This is when you can be sure that the data transferred to you is genuine. Are you familiar with one-way encryption like MD5, SHA1, SHA256, etc.? This is the process where you encrypt data so that it cannot be decrypted. The only thing that can be done with encrypted data is to perform reconciliation. For example, when you download a file from a torrent tracker, the hash sum of the file is indicated there. When you download a file, you should check if the hash on the tracker matches the hash of the file you downloaded. If it does not match, it means that the file was damaged during the download process, in short, it does not match the original. Here, digital signatures work in approximately the same way on VKontakte, payment systems, and many other services.
Before giving you "launch parameters" (user ID, group ID from where you launched it, etc.), VKontakte reads the digital signature by mixing the application's secret key into it. Without knowing the secret key of the application, no one will be able to generate a valid digital signature. In the code example you provided, VKontakte shows how they generate a digital signature for themselves, so that you understand how it generally works. You must use the same algorithm to generate a signature on the server and, when starting the application, check whether the signature you generated matches the one that VKontakte gives you. If it matches, then the user did not tamper with the launch options. If it does not match, then you can block access to some functions of your application or discard some HTTP error, for example, 400 or 401.

Report
S
Sn0wSky, 2017-01-03
@Viruz

https://jsfiddle.net/shm0kdta/

Similar questions
A
Anholle2019-09-09 11:37:42
How to set up a filter in the feedback form? 0Reply
A
Anton2021-03-27 12:39:53
Getting the selected radio item and passing it to the email body, how to display the selected item? 2Reply
A
Andrey Filimonov2017-04-10 11:30:43
Why is there an indent between fields? 3Reply
D
Dmitry2019-09-20 14:21:34
Does not download files from utorrent, openwrt firmware? 1Reply
C
Captain_S2015-05-10 10:52:38
Where is the error in gulp task: watch? 2Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question