提问人:Leslie Hoang 提问时间:5/9/2023 最后编辑:Leslie Hoang 更新时间:5/9/2023 访问量:59
Symfony - 如何保护 API 控制器?我还能做些什么?
Symfony - How to secure API Controller? What else can I do?
问:
嗨,我正在为一家公司创建一个 react native 应用程序,该应用程序用于工资单信息。他们已经建立了一个symfony网站。我希望能够连接到实时 api,进而连接到数据库。我要求负责服务器的当前员工删除检查用户 IP 地址的代码行(**粗体)。他厌倦了将敏感数据库暴露在互联网上。
API 代码在下面。我能做些什么来加强安全性吗?还是我没有考虑的另一种方法?
public function login(Request $request) {
$username = $request->request->get('UserVar');
$password = $request->request->get('PassVar');
$key = $request->request->get('KeyVar');
if (isset($username) and isset($password) **and ( in_array($this->getParameter('portal_ip'), explode(',', getenv('HTTP_X_FORWARDED_FOR'))))** and $key == 'THISISTHEKEYHARDCODED') {
$em = $this->getDoctrine()->getManager();
$RAW_QUERY = 'SELECT * FROM employee where md5(username) = :username and md5(password) = :password and useraccess = 1 ;';
$statement = $em->getConnection()->prepare($RAW_QUERY);
$statement->bindValue('username', $username);
$statement->bindValue('password', $password);
$statement->execute();
$result = $statement->fetchAll();
if (count($result) == 1) {
$location = $this->getDoctrine()->getRepository('App\Entity\Location')->find($result[0]['location'])->getLocName();
$log = new Log();
$log->setUSER(0);
$log->setENT('employee');
$log->setENTID($result[0]['id']);
$log->setACT('LOGIN');
$log->setMESSAGE(serialize(array('Employee has logged into portal')));
$log->setACTDATE(new \DateTime);
$log->setIP(getenv('HTTP_X_FORWARDED_FOR'));
$em->persist($log);
$em->flush();
return new JsonResponse(array('success', 'THISISRANDOMSTRINGOFNUMBERS', $result[0]['id'], $result[0]['firstname'] . ' ' . $result[0]['lastname'], md5($result[0]['password']), $location, $result[0]['location']));
} else {
return new JsonResponse(array('error', 'THISISRANDOMSTRINGOFNUMBERS'));
}
} else {
return new JsonResponse(array('nope'));
//throw new NotFoundHttpException('Sorry not existing!');
}
}
我是新手,我是一名带薪实习生。
答: 暂无答案
评论