Answer the question
In order to leave comments, you need to log in
How to check that the data is not forged (API VKontakte)?
VK recently included community apps. An iframe opens with parameters, but how do you know that the parameters are genuine, and not the user wrote it himself? VK offers the following solution:
$sign = "";
foreach ($request->getParams() as $key => $param) {
if ($key == 'hash' || $key == 'sign') continue;
$sign .=$param;
}
$secret = 'SECRET_KEY';
$sig = $secret ? hash_hmac('sha256', $sign, $secret) : "";
Answer the question
In order to leave comments, you need to log in
Count inside (on the server), compare with what you get from the user.
Of course it must match.
This is called a "digital signature". This is when you can be sure that the data transferred to you is genuine. Are you familiar with one-way encryption like MD5, SHA1, SHA256, etc.? This is the process where you encrypt data so that it cannot be decrypted. The only thing that can be done with encrypted data is to perform reconciliation. For example, when you download a file from a torrent tracker, the hash sum of the file is indicated there. When you download a file, you should check if the hash on the tracker matches the hash of the file you downloaded. If it does not match, it means that the file was damaged during the download process, in short, it does not match the original. Here, digital signatures work in approximately the same way on VKontakte, payment systems, and many other services.
Before giving you "launch parameters" (user ID, group ID from where you launched it, etc.), VKontakte reads the digital signature by mixing the application's secret key into it. Without knowing the secret key of the application, no one will be able to generate a valid digital signature. In the code example you provided, VKontakte shows how they generate a digital signature for themselves, so that you understand how it generally works. You must use the same algorithm to generate a signature on the server and, when starting the application, check whether the signature you generated matches the one that VKontakte gives you. If it matches, then the user did not tamper with the launch options. If it does not match, then you can block access to some functions of your application or discard some HTTP error, for example, 400 or 401.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question