Over the past year, the vast majority of PHP have been working hard, such as Taobao revision, cloud computing, Tencent open platform, and online games. These works are indispensable to PHP. I believe that PHP language can continue to lead the industry for 10 years. We look forward to the next 50 years. 100 years, PHP will still be so powerful. We are all small members. Apart from PHP, they are not good at everything else and it is difficult to make a living. Let’s work hard.
What is active and passive? For example, if you go to the boss's office and ask for salary, this is initiative. Whether from your own perspective or the boss's perspective, you are proactive and positive and optimistic. If the boss asks you to go to the office, and then asks you to structure Taobao and raise you a 20% salary, this is called passive. If you believe that you will be passive after you promise, you will be passive. This is how you understand it simply. And you will also encounter such embarrassing active and passive problems in the process. Let's look at the example.
A clier
When the buy qq successfully purchases the product, notify the QQ master server. Pass the http protocol.
file_get_contents('/?add_saleinfo=buy_qq&orderid=12345&pay=888&email=a@');
The code is safe to run on it, but what is the truth? If someone distributes this interface, the consequences will be inestimable. Everyone can forge order information and implant it. No matter how you limit the origin, data checking. If you take a step back, the danger is the person who writes this code. Then everyone will ask, since you are the person who writes the code, how can you prevent it? This requires you to change from passive() to active. /?add_saleinfo=buy_qq to no longer receive any order information. Instead, it is token value. After receiving the token value, the interface calls back the query interface and then enter the library. Ordinary users can no longer create the token value. Even if you know the query interface, it cannot affect it. As the main body, it is basically active and will not always be in chaos to enter the library, but actively analyze and think about entering the library.
The same principle is, Taobao players also have this problem. For example, some browsers that were previously exposed to modify the pid value in the web page, causing users to suffer heavy losses. This is the result of passiveness. PHP is written like this. PHP requests Taobao API interface and receives product information. There is a product purchase link in it. It is this purchase link that makes the webmaster passive. Users who directly href on the page may be collected and modified by the browser. Next, you understand, pid represents money. Later, someone thought of this problem and adopted the passive and active approach. It is not to display the product link directly, but to modify it through a php. The URLs seen by users are similar: /tao/?sid=aaaa333 sid is definitely not a pid value. All work is carried by, and they actively undertake analysis and security detection.
QQ Internet 2.0 is currently widely used on Internet sites. How to ensure user security as the backbone of user data? It is also necessary to improve security while ensuring access speed. The current process of QQ login is as follows: First, the appid appkey callbackurl is combined into a string of links, and then jump to. This is why many sites can jump to the QQ login page by directly accessing, because these parameters are fixed and the security is quite good. The login process is still there, which is the single sign-in that phper often talks about. After logging in, it will jump directly to the callbackurl page. The information obtained by callbackurl at this time is still not enough to prove that the user has logged in successfully, and only gets the token value. So in the second step, use the token value to query the user openid on the QQ API interface to complete the login. In this way, QQ has to take the initiative, and the query result is not simple or not. Instead, the corresponding parameters and prompt information can be compatible no matter how they increase in the later stage. Tencent holds the initiative, which is very important for companies with hundreds of millions of users. Internal security also determines the correspondence between domain names and appids, token expiration checks, and IP restrictions. From a technical perspective, Tencent has it.
There are many examples like this, paypal and Alipay, all of which are similar.
What is active and passive? For example, if you go to the boss's office and ask for salary, this is initiative. Whether from your own perspective or the boss's perspective, you are proactive and positive and optimistic. If the boss asks you to go to the office, and then asks you to structure Taobao and raise you a 20% salary, this is called passive. If you believe that you will be passive after you promise, you will be passive. This is how you understand it simply. And you will also encounter such embarrassing active and passive problems in the process. Let's look at the example.
A clier
When the buy qq successfully purchases the product, notify the QQ master server. Pass the http protocol.
file_get_contents('/?add_saleinfo=buy_qq&orderid=12345&pay=888&email=a@');
The code is safe to run on it, but what is the truth? If someone distributes this interface, the consequences will be inestimable. Everyone can forge order information and implant it. No matter how you limit the origin, data checking. If you take a step back, the danger is the person who writes this code. Then everyone will ask, since you are the person who writes the code, how can you prevent it? This requires you to change from passive() to active. /?add_saleinfo=buy_qq to no longer receive any order information. Instead, it is token value. After receiving the token value, the interface calls back the query interface and then enter the library. Ordinary users can no longer create the token value. Even if you know the query interface, it cannot affect it. As the main body, it is basically active and will not always be in chaos to enter the library, but actively analyze and think about entering the library.
The same principle is, Taobao players also have this problem. For example, some browsers that were previously exposed to modify the pid value in the web page, causing users to suffer heavy losses. This is the result of passiveness. PHP is written like this. PHP requests Taobao API interface and receives product information. There is a product purchase link in it. It is this purchase link that makes the webmaster passive. Users who directly href on the page may be collected and modified by the browser. Next, you understand, pid represents money. Later, someone thought of this problem and adopted the passive and active approach. It is not to display the product link directly, but to modify it through a php. The URLs seen by users are similar: /tao/?sid=aaaa333 sid is definitely not a pid value. All work is carried by, and they actively undertake analysis and security detection.
QQ Internet 2.0 is currently widely used on Internet sites. How to ensure user security as the backbone of user data? It is also necessary to improve security while ensuring access speed. The current process of QQ login is as follows: First, the appid appkey callbackurl is combined into a string of links, and then jump to. This is why many sites can jump to the QQ login page by directly accessing, because these parameters are fixed and the security is quite good. The login process is still there, which is the single sign-in that phper often talks about. After logging in, it will jump directly to the callbackurl page. The information obtained by callbackurl at this time is still not enough to prove that the user has logged in successfully, and only gets the token value. So in the second step, use the token value to query the user openid on the QQ API interface to complete the login. In this way, QQ has to take the initiative, and the query result is not simple or not. Instead, the corresponding parameters and prompt information can be compatible no matter how they increase in the later stage. Tencent holds the initiative, which is very important for companies with hundreds of millions of users. Internal security also determines the correspondence between domain names and appids, token expiration checks, and IP restrictions. From a technical perspective, Tencent has it.
There are many examples like this, paypal and Alipay, all of which are similar.