Example of API interface signature generation and verification in PHP development


This paper describes the operation of signature generation and verification of PHP API interface. For your reference, the details are as follows:

In the development process, we often deal with the interface. Sometimes we call the interface of other people’s website, and sometimes we provide the interface of our own website for others. But in the process of calling, we can’t do without signature verification.

When designing signature verification, please pay attention to the following points:

  • Variability: each signature must be different.
  • Timeliness: the time limit of each request, expiration and cancellation, etc.
  • Uniqueness: each signature is unique.
  • Integrity: it can verify the incoming data and prevent tampering.

1、 Method of generating signature parameter sign

Step 1: sort all parameters (note all parameters), except sign itself and parameters with empty value, and sort them in ascending order of parameter name letters.

Then sort the parameter value 1 in step 2 The parameter n value n (where the parameters and values must be the original values of the transmission parameters, and cannot be processed, such as “cannot be converted to” and then spliced) into a string.

Step 3: splice the authentication key key assigned to the access party in front of the string obtained in step 2.

Step 2: add the verification key key (the key key is assigned by the interface provider to the interface access party) before the string obtained in the previous step, and then calculate the MD5 value to get the 32-bit string, and then convert it into upper case

Step 4: calculate the MD5 value (32 bits) of the string in step 3, and then convert it to uppercase. The obtained string is used as the value of sign.

give an example:

Suppose the data transmitted is/ interface.php?sign=sign_ Value & P2 = V2 & P1 = V1 & method = cancel & P3 = & PN = VN (the best way is to send it by post), where the sign parameter corresponds to the sign_ Value is the value of the signature.

The first step is to splice the string. First, remove the sign parameter itself, and then remove the null parameter P3, leaving P2 = V2 & P1 = V1 & method = cancel & amp; PN = VN, and then sort it in ascending order by the parameter name character, method = cancel & P1 = v1 & P2 = V2 & PN = VN

The second step is to splice the parameter name and value to get the method cancelp1v1p2v2pnvn

The third step is to add the verification key key before the string spliced above. We assume it is ABC, and get the new string abcmethodecancelp1v1p2v2pnvn

Step 4, MD5 is used to calculate the string. Suppose ABCDEF is obtained, and then it is converted to uppercase to get ABCDEF, which is the sign signature value.

Note: before calculating MD5, please ensure that the string codes of the interface and the access party are consistent. For example, UTF-8 encoding or GBK encoding are used uniformly. If the encoding methods are inconsistent, the calculated signature will fail to verify.

2、 Signature verification method:

According to the method rules for generating the signature parameter sign described above, the signature value of the parameter is calculated and compared with the corresponding parameter value of the sign notified in the parameter. If it is consistent, the verification is passed. If not, the parameter has been modified.

3、 Let’s look at the code directly

//Set a public key and a private key. The public key is used to distinguish users. The private key encrypts data and cannot be disclosed
$key = "c4ca4238a0b923820dcc509a6f75849b";
$secret = "28c8edde3d61a0411511d3b1866f0636";

//Packets to be sent
$data = array(
  'username' => '[email protected]',
  'sex' => '1',
  'age' => '16',
  'addr' => 'guangzhou',
  'key' => $key,
  'timestamp' => time(),

//Get sign
function getSign($secret, $data) {
  //Sort the array values by key
  //Form of generated URL
  $params = http_build_query($data);
  //Generate sign
  $sign = md5($params . $secret);
  return $sign;

//Data sent plus sign
$data['sign'] = getSign($secret, $data);

 *Verify whether the sign is legal in the background
 * @param [type] $secret [description]
 * @param [type] $data  [description]
 * @return [type]     [description]
function verifySign($secret, $data) {
  //Verify that there is a signature in the parameter
  if (!isset($data['sign']) || !$data['sign']) {
    Echo 'the data signature sent does not exist';
  if (!isset($data['timestamp']) || !$data['timestamp']) {
    Echo 'the data parameter sent is illegal';
  //Verification request, 10 minutes invalid
  if (time() - $data['timestamp'] > 600) {
    Echo 'validation failed, please resend the request';
  $sign = $data['sign'];
  $params = http_build_query($data);
  //$secret is obtained by querying the API database through key
  $sign2 = md5($params . $secret);
  if ($sign == $sign2) {
    Die ('validation passed ');
  } else {
    Die ("the request is illegal ');

More interested readers about PHP related content can view the special topics of this website: PHP programming security tutorial, PHP security filtering skills summary, PHP basic syntax introduction tutorial, PHP object-oriented programming introduction tutorial, PHP string (string) usage summary, PHP + MySQL database operation introduction tutorial and PHP common database operation skills summary General

I hope this article will help you with PHP programming.