file_get_contents vs cUrl. Which is more relevant

2019-08-03 09:43发布

问题:

Which would be more appropriate in terms of security?

In case of file_get_contents(), if any error occurs, it displays the url being called in the error msg which may be vulnerable.

回答1:

I think curl is more secure because if you're working with remote file with file_get_contents() you need to enable ‘allow_url_fopen’

reference :
http://25labs.com/alternative-for-file_get_contents-using-curl/
http://phpsec.org/projects/phpsecinfo/tests/allow_url_fopen.html

And continuing discussion from the comments in the question, yes cURL give you more option and if you want to check more you can see it in the documentation here
For file_get_contents() it just a simple GET request.



回答2:

  • file_get_contents is only useful for GET requests
  • file_get_contents needs allow_url_fopen on to access remote sources

A URL can be used as a filename with this function if the fopen wrappers have been enabled. See fopen() for more details on how to specify the filename. See the Supported Protocols and Wrappers for links to information about what abilities the various wrappers have, notes on their usage, and information on any predefined variables they may provide.

  • You have way more options in your request using cURL. Take a look at setopt.

it displays the url being called in the error msg which may be vulnerable.

Turn off error reporting and ensure display_errors is deactivated. It may also be worthwhile to create your own handler to handle errors.

error_reporting(0);
ini_set('display_errors', 0);


回答3:

file_get_content can do post by stream_context_set_option, but, i think maybe curl more powerful.

ref:

  • http://php.net/manual/zh/function.stream-context-set-option.php
  • http://php.net/manual/zh/context.http.php