doushi7819 2017-06-01 21:48
浏览 54
已采纳

如何使用PHP安全地发送服务器回发?

I'm building an application that will send an http request to a url (I hope..) provided by a user.

Probably most of you will know this as a postback, callback or webhook.

However, I'm concerned about security, because the other server will send a response. That response might contain code or who knows what.

I've considered the following functions so far:

  • Curl()
  • file_get_contents()

What is the most secure way of doing this, without opening up a security vulnerability?

  • 写回答

2条回答 默认 最新

  • dongza5150 2017-06-01 22:04
    关注

    You doesn't have a security problem in any case if you don't process the response of the server.

    For example, when you use:

    $url = 'http://www.example.com/testaddr';
    $result = file_get_contents($url);
    unset($result);
    

    You have a variable with the data. But these data aren't processed yet.

    With cURL, you can get the same approach with these options:

    $url = 'http://www.example.com/testaddr';
    $curl = curl_init();                
    curl_setopt ($curl, CURLOPT_URL, $url);
    curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
    
    $result = curl_exec($curl);
    
    //If you need to check result, use this:
    if (!curl_errno($curl)) {
      $http_code = curl_getinfo($curl, CURLINFO_HTTP_CODE);
      if ($http_code === 200) {
        echo "OK";
      } else {
        echo 'Unexpected HTTP code: ', $http_code, "
    ";
      }
    }
    curl_close($curl);
    unset($result);
    

    In that case it's the same, you get the response on $result var, but, you didn't use it, in that case, it isn't a security failure.

    Also, in both cases, for security reasons and prevent excessive memory usage, I delete the $result variable after finish the process.

    As you can see on PHP doc:

    CURLOPT_RETURNTRANSFER TRUE to return the transfer as a string of the return value of curl_exec() instead of outputting it out directly.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 nrf52810-c三个a 程序
  • ¥15 lego-loam跑出来的roll误差很大
  • ¥50 求一个半透明没有锯齿的圆角窗体的实现例子
  • ¥15 STM32cubeMX里的FreeRTOS无法释放内存
  • ¥15 CATIA有些零件打开直接单机确定终止
  • ¥15 请问有会的吗,用MATLAB做
  • ¥15 phython如何实现以下功能?查找同一用户名的消费金额合并—
  • ¥15 孟德尔随机化怎样画共定位分析图
  • ¥18 模拟电路问题解答有偿速度
  • ¥15 CST仿真别人的模型结果仿真结果S参数完全不对