无法在远程 API 服务器上接收通过 cURL 发送的入站 XML

Question

I am tasked with building an API to receive inbound XML data. On my client, I have this code.

 $url = "http://stackoverflow.com";
 $xml = '<?xml version="1.0" encoding="UTF-8"?><Request PartnerID="asasdsadsa" Type="TrackSearch"> <TrackSearch> <Title>love</Title>    <Tags> <MainGenre>Blues</MainGenre> </Tags> <Page Number="1" Size="20"/> </TrackSearch> </Request>';
 $ch = curl_init();
 curl_setopt($ch, CURLOPT_URL, $url);
 curl_setopt($ch, CURLOPT_POST, true);
 curl_setopt( $ch, CURLOPT_HTTPHEADER, array('Content-Type: text/xml'));
 curl_setopt( $ch, CURLOPT_POSTFIELDS, "xml=".$payload );
 curl_setopt( $ch, CURLOPT_RETURNTRANSFER, true );
 $request = curl_exec($ch);
 curl_close($ch);

On my remote server, I have this code

 function TransmitRx()
 {
    $xml = trim(file_get_contents('php://input'));
    file_put_contents("newStandard/".rand(100,500)."received.xml", $xml);
 }

 //Listen for inbound data 
 TransmitRx()

If I open up the server endpoint URL, there is an empty file saved. I don't know why. But when I run the client-side script. I get nothing. No errors. Nothing.

I have looked at several of the pages here and every one of them has a similar cURL statement to send data.

Why am I not receiving any post data at the API endpoint?

I have been unsuccessful at any information via the WWW.

UPDATE

Final Code that works:

function get_url($request_url, $payload)
{
        $headers = [
            "Access-Control-Allow-Origin: *",
            "Content-type: text/xml",
            "Content-length: " . strlen($payload),
            "Connection: close",

        ];

        $data = ['xml' => $payload];
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $request_url);
        curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10);
        curl_setopt( $ch, CURLOPT_HTTPHEADER, $headers);
        curl_setopt( $ch, CURLOPT_POST, true );
        curl_setopt($ch, CURLOPT_POSTFIELDS, $data);

        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
        curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);

        $response = curl_exec($ch) or die(curl_error($ch));;

        if (curl_errno($ch)) {
            print curl_error($ch);
        } else {
            curl_close($ch);
        }

        return $response;
}

$request_url = 'https://stackoverflow.com/posts';
$response = get_url($request_url, $payload);

I wish I knew for sure what caused it to start working. I was reading this page last.

https://www.php.net/manual/en/curlfile.construct.php

Answer 1

Okay, so if adding the lines I suggested to disable certification / peer validation enabled the process to work, then that just means the remote server is using an SSL certificate that is not trusted by cURL.

Those lines are NOT the final fix. You never want to disable SSL validation in a real environment. I only suggested you temporarily disable them to see if that was truly the problem. If you leave them disabled, then you are leaving your code vulnerable to man-in-the-middle (MITM) attacks.

The correct fix is usually to point cURL at an updated CA bundle. The official cURL website graciously provides these here:

https://curl.haxx.se/docs/caextract.html

The process is that you download the CA bundle file and put it somewhere where your script can find it, and then add this curl option:

curl_setopt ($ch, CURLOPT_CAINFO, "full path to the CA bundle file.pem");

If the remote server's certificate came from any of the major CA vendors out there, this should be all you need to do.

If the remote server's certificate is self-signed or something then you might need to download the specific CA certificate and any supporting intermediate CA certificates and tell cURL to find them.