问题
I have made a API script for my website, so people can login from another website. It's using PHP cuRL to POST data to my website.
I'm using a api key (md5 hash of the website) to verify the website with my MySQL database. But when someone is using my API Client (PHP cURL), they also can save the username's and passwords of my user's.
How can i prevent this?
回答1:
You might want to consider using OAuth. It's designed for exactly what you want to do.
回答2:
I someone is typing their username and password onto a website other than your own, there is no way for you to prevent the owner of the website from capturing it...
回答3:
What you'll want to do is have your site generate a secure set of credentials for the users account, similar to a username/password, but only to be used by the API. Also, prevent this new set of credentials from having the ability to do things like delete the user's account or change email address.
Also, give the users the ability to have their API credentials changed if they want (in case a third party gets it and the user no longer wants them to have access).
来源:https://stackoverflow.com/questions/5188192/having-security-in-api-system-php-curl