doushi7819 2017-06-01 13:48
浏览 54
已采纳

如何使用PHP安全地发送服务器回发?

I'm building an application that will send an http request to a url (I hope..) provided by a user.

Probably most of you will know this as a postback, callback or webhook.

However, I'm concerned about security, because the other server will send a response. That response might contain code or who knows what.

I've considered the following functions so far:

  • Curl()
  • file_get_contents()

What is the most secure way of doing this, without opening up a security vulnerability?

  • 写回答

2条回答 默认 最新

  • dongza5150 2017-06-01 14:04
    关注

    You doesn't have a security problem in any case if you don't process the response of the server.

    For example, when you use:

    $url = 'http://www.example.com/testaddr';
    $result = file_get_contents($url);
    unset($result);
    

    You have a variable with the data. But these data aren't processed yet.

    With cURL, you can get the same approach with these options:

    $url = 'http://www.example.com/testaddr';
    $curl = curl_init();                
    curl_setopt ($curl, CURLOPT_URL, $url);
    curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
    
    $result = curl_exec($curl);
    
    //If you need to check result, use this:
    if (!curl_errno($curl)) {
      $http_code = curl_getinfo($curl, CURLINFO_HTTP_CODE);
      if ($http_code === 200) {
        echo "OK";
      } else {
        echo 'Unexpected HTTP code: ', $http_code, "
    ";
      }
    }
    curl_close($curl);
    unset($result);
    

    In that case it's the same, you get the response on $result var, but, you didn't use it, in that case, it isn't a security failure.

    Also, in both cases, for security reasons and prevent excessive memory usage, I delete the $result variable after finish the process.

    As you can see on PHP doc:

    CURLOPT_RETURNTRANSFER TRUE to return the transfer as a string of the return value of curl_exec() instead of outputting it out directly.

    展开全部

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)
编辑
预览

报告相同问题?

悬赏问题

  • ¥30 在CodBlock上用c++语言运行
  • ¥15 求C6748 IIC EEPROM程序固化烧写算法
  • ¥50 关于#php#的问题,请各位专家解答!
  • ¥15 python 3.8.0版本,安装官方库ibm_db遇到问题,提示找不到ibm_db模块。如何解决?
  • ¥15 TMUXHS4412如何防止静电,
  • ¥30 Metashape软件中如何将建模后的图像中的植被与庄稼点云删除
  • ¥20 机械振动学课后习题求解答
  • ¥15 IEC61850 客户端和服务端的通讯机制
  • ¥15 MAX98357a(关键词-播放音频)
  • ¥15 Linux误删文件,请求帮助
手机看
程序员都在用的中文IT技术交流社区

程序员都在用的中文IT技术交流社区

专业的中文 IT 技术社区,与千万技术人共成长

专业的中文 IT 技术社区,与千万技术人共成长

关注【CSDN】视频号,行业资讯、技术分享精彩不断,直播好礼送不停!

关注【CSDN】视频号,行业资讯、技术分享精彩不断,直播好礼送不停!

客服 返回
顶部