堆栈内存溢出
  简体   繁体   English

用于发布和使用REST的php file_get_contents

[英]php file_get_contents for post and consuming REST

 原文  2014-06-09 15:10:44       php/ web-services/ rest

问题描述

On a sample code I provided for a recent interview, I used file_get_contents for consuming their web service(nothing special sending some custom headers for a POST request). 在我提供给最近一次采访的示例代码中,我使用file_get_contents来使用其Web服务(没什么特别的,它为POST请求发送了一些自定义标头)。 I find other methods like curl unnecessarily complex and verbose and use file_get_contents for most of the "client" stuff I do with PHP. 我发现其他方法(例如curl不必要地复杂且冗长),并在我使用PHP进行的大多数“客户端”工作中使用file_get_contents。

One interviewer argued that, file_get_contents is not recommended for anything but get requests. 一位面试官认为,不建议将file_get_contents用于获取请求。 I did not object on the spot but went back and googled a little bit. 我没有当场反对,但回去谷歌了一下。 Can't find any reliable answers on his assertion of this "commonly known fact" 对于他对这个“众所周知的事实”的断言,找不到任何可靠的答案

Can anyone point at some disadvantages for using file_get_contents in this context? 任何人都可以指出在这种情况下使用file_get_contents的一些缺点吗? Also can anyone point me to a resource where they eliminate file_get_contents as a good practise? 还有谁能指出我的资源来消除file_get_contents是一个好习惯?

Thanks. 谢谢。

3 个解决方案

解决方案1
 6  2014-08-06 21:57:50

From a security perspective, using file_get_contents() is generally not a good idea. 从安全角度来看,使用file_get_contents()通常不是一个好主意。

allow_url_fopen allow_url_fopen

For file_get_contents() to be able to use remote sources, the setting allow_url_fopen must be enabled. 为了使file_get_contents()能够使用远程源,必须启用设置allow_url_fopen But when enabling this setting, all other stream related functions in PHP (like include and require ) are also allowed to use remote sources. 但是,启用此设置后,PHP中所有其他与流相关的功能(例如includerequire )也被允许使用远程源。 This could allow attacks like Remote File Execution . 这可能允许诸如远程文件执行之类的攻击。

When using another tool, like cURL, you can disable allow_url_fopen (it's enabled by default). 使用cURL等其他工具时,您可以禁用allow_url_fopen (默认情况下allow_url_fopen启用状态)。

SSL/TLS SSL / TLS

PHP streams are insecure over SSL/TLS by default. 默认情况下,PHP流在SSL / TLS上不安全。 Luckily this can be corrected, but it does need attention before you can securely use HTTPS/FTPS sources. 幸运的是,可以对此进行更正,但是在安全使用HTTPS / FTPS源之前,确实需要注意这一点。

A remaining issue is that PHP is unable to match Subject Alternative Names in certificates (which many certificates use). 另一个问题是PHP无法匹配证书(许多证书使用的证书)中的使用者备用名称。 This means that (when configured securely) PHP can reject a valid certificate. 这意味着(在安全配置的情况下)PHP可以拒绝有效的证书。 In order to circumvent this, you'll need to disable CN matching, which opens you up to Man In The Middle attacks . 为了避免这种情况,您需要禁用CN匹配,这使您可以进行“中间人攻击”

cURL on the other hand is fully secure by default, and does support SAN matching. 另一方面,cURL默认情况下是完全安全的,并且确实支持SAN匹配。

Survive The Deep End: PHP Security 生存的最深处:PHP安全

Pádraic Brady is writing a book on PHP Security, which has this chapter that you might want to read. PádraicBrady正在写一本有关PHP安全性的书,其中您可能需要阅读这一章

Guzzle uzz

You might want to have a look at Guzzle : 您可能想看看Guzzle

Guzzle is a PHP HTTP client that makes it easy to work with HTTP/1.1 and takes the pain out of consuming web services. Guzzle是一个PHP HTTP客户端,可以轻松使用HTTP / 1.1,并减轻了使用Web服务的麻烦。 It uses cURL by default. 默认情况下,它使用cURL。

解决方案2
 1  2014-08-06 22:36:27

You can use file_get_contents() for more than simple GET requests, by passing a stream_context . 通过传递stream_context ,可以将file_get_contents()用于简单的GET请求以外的其他操作。 But then it will soon get as complex as with cURL or others, while being (IMHO) less intuitive. 但是随后,它将很快变得与cURL或其他URL一样复杂,而(IMHO)则不那么直观。

It is true, as pointed out by Jasper, that file_get_contents() requires allow_url_fopen=1 , which again may be a security threat. 正如Jasper所指出的, file_get_contents()确实需要allow_url_fopen=1 ,这再次可能是安全威胁。 However, allow_url_fopen is active on most hosts anyway, and personally I think there are worse security pitfalls in PHP. 但是,allow_url_fopen无论如何在大多数主机上都是活动的,而且我个人认为PHP中存在更严重的安全隐患。

My conclusion would be: If you build an application only for yourself, use file_get_contents() or cURL. 我的结论是:如果仅为自己构建应用程序,请使用file_get_contents()或cURL。 If you need portability, use one of the libraries that implement HTTP clients on raw sockets, such as Snoopy. 如果需要可移植性,请使用在原始套接字上实现HTTP客户端的库之一,例如Snoopy。

解决方案3
 0  2014-06-09 16:55:03

Best for this use Curl. 最适合此用途的Curl。 The fact that Curl has many settings: Curl具有许多设置的事实:

  • The ability to specify a timeout request 可以指定超时请求
  • The ability to choose GET or POST 选择GET或POST的能力
  • The ability to pass cookies 传递cookie的能力
  • The ability to use the BASIC AUTH 使用基本身份验证的能力
  • etc 等等

for all of these and other such things is difficult to use file_get_contents. 对于所有这些以及其他此类事情,很难使用file_get_contents。 To use the curl was not so difficult i recommend write a wrapper class. 要使用curl并不是那么困难,我建议编写一个包装器类。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用 file_get_contents 的 Rest POST API 在 PHP 中不起作用 - Rest POST API With file_get_contents Not Working IN PHP 消耗两个结果使用PHP,curl或file_get_contents进行其余的Web服务吗? - consuming two consequence Rest web serivce using PHP, curl or file_get_contents? "API REST php - 如何将(file_get_contents)字符串到数组?" - API REST php - How to String (file_get_contents) to an ARRAY? 通过file_get_contents调用的故障调试PHP REST API - Trouble Debugging PHP REST API called by file_get_contents PHP:使用file_get_contents发送GET / POST - PHP: Sending GET/POST with file_get_contents file_get_contents()PHP - file_get_contents() PHP 为什么我的$ _POST为空,但file_get_contents('php:// input')不是? - Why is my $_POST empty but file_get_contents('php://input') is not? 无法从file_get_contents('php:// input')获取帖子值 - Not getting post value from file_get_contents('php://input') 在PHP中将post参数添加到file_get_contents - add post parameters to file_get_contents in php PHP POST stream_context_create和file_get_contents - php POST stream_context_create and file_get_contents
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM