doushi7819 2017-06-01 21:48
浏览 54
已采纳

如何使用PHP安全地发送服务器回发?

I'm building an application that will send an http request to a url (I hope..) provided by a user.

Probably most of you will know this as a postback, callback or webhook.

However, I'm concerned about security, because the other server will send a response. That response might contain code or who knows what.

I've considered the following functions so far:

  • Curl()
  • file_get_contents()

What is the most secure way of doing this, without opening up a security vulnerability?

  • 写回答

2条回答 默认 最新

  • dongza5150 2017-06-01 22:04
    关注

    You doesn't have a security problem in any case if you don't process the response of the server.

    For example, when you use:

    $url = 'http://www.example.com/testaddr';
    $result = file_get_contents($url);
    unset($result);
    

    You have a variable with the data. But these data aren't processed yet.

    With cURL, you can get the same approach with these options:

    $url = 'http://www.example.com/testaddr';
    $curl = curl_init();                
    curl_setopt ($curl, CURLOPT_URL, $url);
    curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
    
    $result = curl_exec($curl);
    
    //If you need to check result, use this:
    if (!curl_errno($curl)) {
      $http_code = curl_getinfo($curl, CURLINFO_HTTP_CODE);
      if ($http_code === 200) {
        echo "OK";
      } else {
        echo 'Unexpected HTTP code: ', $http_code, "
    ";
      }
    }
    curl_close($curl);
    unset($result);
    

    In that case it's the same, you get the response on $result var, but, you didn't use it, in that case, it isn't a security failure.

    Also, in both cases, for security reasons and prevent excessive memory usage, I delete the $result variable after finish the process.

    As you can see on PHP doc:

    CURLOPT_RETURNTRANSFER TRUE to return the transfer as a string of the return value of curl_exec() instead of outputting it out directly.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 PADS Logic 原理图
  • ¥15 PADS Logic 图标
  • ¥15 电脑和power bi环境都是英文如何将日期层次结构转换成英文
  • ¥20 气象站点数据求取中~
  • ¥15 如何获取APP内弹出的网址链接
  • ¥15 wifi 图标不见了 不知道怎么办 上不了网 变成小地球了
  • ¥50 STM32单片机传感器读取错误
  • ¥15 (关键词-阻抗匹配,HFSS,RFID标签天线)
  • ¥15 机器人轨迹规划相关问题
  • ¥15 word样式右侧翻页键消失