php file_get_contents for post and consuming REST
Question
On a sample code I provided for a recent interview, I used file_get_contents for consuming their web service(nothing special sending some custom headers for a POST request). I find other methods like curl unnecessarily complex and verbose and use file_get_contents for most of the "client" stuff I do with PHP.
One interviewer argued that, file_get_contents is not recommended for anything but get requests. I did not object on the spot but went back and googled a little bit. Can't find any reliable answers on his assertion of this "commonly known fact"
Can anyone point at some disadvantages for using file_get_contents in this context? Also can anyone point me to a resource where they eliminate file_get_contents as a good practise?
Thanks.
3 answers
solution1
6 2014-08-06 21:57:50
From a security perspective, using file_get_contents() is generally not a good idea.
allow_url_fopen
For file_get_contents() to be able to use remote sources, the setting allow_url_fopen must be enabled. But when enabling this setting, all other stream related functions in PHP (like include and require ) are also allowed to use remote sources. This could allow attacks like Remote File Execution .
When using another tool, like cURL, you can disable allow_url_fopen (it's enabled by default).
SSL/TLS
PHP streams are insecure over SSL/TLS by default. Luckily this can be corrected, but it does need attention before you can securely use HTTPS/FTPS sources.
A remaining issue is that PHP is unable to match Subject Alternative Names in certificates (which many certificates use). This means that (when configured securely) PHP can reject a valid certificate. In order to circumvent this, you'll need to disable CN matching, which opens you up to Man In The Middle attacks .
cURL on the other hand is fully secure by default, and does support SAN matching.
Survive The Deep End: PHP Security
Pádraic Brady is writing a book on PHP Security, which has this chapter that you might want to read.
Guzzle
You might want to have a look at Guzzle :
Guzzle is a PHP HTTP client that makes it easy to work with HTTP/1.1 and takes the pain out of consuming web services. It uses cURL by default.
solution2
1 2014-08-06 22:36:27
You can use file_get_contents() for more than simple GET requests, by passing a stream_context . But then it will soon get as complex as with cURL or others, while being (IMHO) less intuitive.
It is true, as pointed out by Jasper, that file_get_contents() requires allow_url_fopen=1 , which again may be a security threat. However, allow_url_fopen is active on most hosts anyway, and personally I think there are worse security pitfalls in PHP.
My conclusion would be: If you build an application only for yourself, use file_get_contents() or cURL. If you need portability, use one of the libraries that implement HTTP clients on raw sockets, such as Snoopy.
solution3
0 2014-06-09 16:55:03
Best for this use Curl. The fact that Curl has many settings:
- The ability to specify a timeout request
- The ability to choose GET or POST
- The ability to pass cookies
- The ability to use the BASIC AUTH
- etc
for all of these and other such things is difficult to use file_get_contents. To use the curl was not so difficult i recommend write a wrapper class.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.