On a sample code I provided for a recent interview, I used file_get_contents for consuming their web service(nothing special sending some custom headers for a POST request). I find other methods like curl unnecessarily complex and verbose and use file_get_contents for most of the "client" stuff I do with PHP.
One interviewer argued that, file_get_contents is not recommended for anything but get requests. I did not object on the spot but went back and googled a little bit. Can't find any reliable answers on his assertion of this "commonly known fact"
Can anyone point at some disadvantages for using file_get_contents in this context? Also can anyone point me to a resource where they eliminate file_get_contents as a good practise?
Thanks.
From a security perspective, using file_get_contents()
is generally not a good idea.
For file_get_contents()
to be able to use remote sources, the setting allow_url_fopen
must be enabled. But when enabling this setting, all other stream related functions in PHP (like include
and require
) are also allowed to use remote sources. This could allow attacks like Remote File Execution .
When using another tool, like cURL, you can disable allow_url_fopen
(it's enabled by default).
PHP streams are insecure over SSL/TLS by default. Luckily this can be corrected, but it does need attention before you can securely use HTTPS/FTPS sources.
A remaining issue is that PHP is unable to match Subject Alternative Names in certificates (which many certificates use). This means that (when configured securely) PHP can reject a valid certificate. In order to circumvent this, you'll need to disable CN matching, which opens you up to Man In The Middle attacks .
cURL on the other hand is fully secure by default, and does support SAN matching.
Pádraic Brady is writing a book on PHP Security, which has this chapter that you might want to read.
You might want to have a look at Guzzle :
Guzzle is a PHP HTTP client that makes it easy to work with HTTP/1.1 and takes the pain out of consuming web services. It uses cURL by default.
You can use file_get_contents()
for more than simple GET requests, by passing a stream_context . But then it will soon get as complex as with cURL or others, while being (IMHO) less intuitive.
It is true, as pointed out by Jasper, that file_get_contents()
requires allow_url_fopen=1
, which again may be a security threat. However, allow_url_fopen is active on most hosts anyway, and personally I think there are worse security pitfalls in PHP.
My conclusion would be: If you build an application only for yourself, use file_get_contents()
or cURL. If you need portability, use one of the libraries that implement HTTP clients on raw sockets, such as Snoopy.
Best for this use Curl. The fact that Curl has many settings:
for all of these and other such things is difficult to use file_get_contents. To use the curl was not so difficult i recommend write a wrapper class.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.