Possible Duplicate:
file_get_contents with query string
I'm using the file_get_contents function but although returning the correct output, it is still showing this error:
Warning: file_get_contents(secure/validate.php?cardnumber=1234567) [function.file-get-contents]: failed to open stream: No error in ...
The scenario is card number validation and in validatecard.php there is a simple if statement:
if (isset($_GET['cardnumber']) && ($_GET['cardnumber'] == "12345")) {
echo "OK";
} else {
echo "INVALID CARD";
}
My code is:
$cardnumber = $_POST["cardnumber"];
$url = "secure/validate.php?cardnumber=" . $cardnumber;
if (file_get_contents($url) != "OK"){
$order_error_msg = "Invalid card number";
} else { ....
What may be the problem?
Well, it seems like you don't have allow_url_fopen set in your php.ini @Gordon is correct, this is not a url_fopen issue. It's actually failing because using file_get_contents on the local file will actually get you the code for the file, not the PHP-processed result of running that file. To get it to work as you wanted, you'd need to hit apache/PHP by prepending "https://localhost/" to the url, and enabling allow_url_fopen.
But also this looks like a very worrying piece of code; you should do as little as possible with CC numbers in the code. By using file_get_contents and a card number on the get string, it opens up the possibility of the number being logged somewhere.
A much more secure implementation would look something like this:
validatecard.php
function checkCard($card) {
if ($card == "12345")) {
return "OK";
} else {
return "INVALID CARD";
}
}
Then in your main code:
include('secure/validatecard.php');
$cardnumber = $_POST["cardnumber"];
if (checkCard($cardnumber) != "OK"){
$order_error_msg = "Invalid card number";
} else { ....
That way your checkCard function is more re-usable, and you don't have to ferry the card number around so much.
If you decide to go with the file_get_contents approach and hit https://localhost/secure/validatecard.php?card=12345 then the credit card numbers will get logged in your apache access logs in plain text. This is verging on criminally negligent, don't do it.
also, as per Gordon's advice, make sure that you're using https all the way through.
You might consider hiring in a contractor with experience writing shopping carts/checkouts. These things are important to get right, and can be insecure in subtle ways if you're not experienced.
are you sure your php.ini configuration allows for opening urls?
you can check using phpinfo() and searching for allow_url_fopen
also, as another poster noted , using GET for this kind of stuff isn't really ideal (read: really really bad). if you're keen on making a request to another page, rather than using a file (if that other page is not on your server, for example), try using cURL and do a POST request
