micah1701 Posted January 29, 2010 Share Posted January 29, 2010 This isn't so much a coding question as a theory/best-practices question, but I wasn't sure where else to post it. A while back I built an application for a client of mine which grabs some finance data from yahoo! and parses the numbers to give him some stock information. I used something like $data = file("http://finance.yaho.com/whatever?my=paramaters"); and all worked fine until the other day. He called me in a panic that his whole site was crashing and it was my application's fault. I quickly realized that the problem was that his host, Network Solutions, turned off the allow_url_fopen directive without informing him. I told him to tell them to turn it back on... of course, they wouldn't do that because he's on a shared IP with a thousand other websites and they now consider it a security risk. They recommend I just use cURL instead, which I did and all is well with the world again. But it leaves me wondering, how is cURL any safer then using file()? Both grab info from 3rd party sites. Quote Link to comment Share on other sites More sharing options...
premiso Posted January 29, 2010 Share Posted January 29, 2010 cURL is safer because it can only access webpages, where as file can access any file on your server given the right path etc. It is better to use the proper tool for fetching webpage data (as cURL is much more efficient and quicker at it then file).So for instance if you have a form that says, "Enter URL of Link" when they pass it in you have something like: file($_POST['link']); that can open up your server for them to retrieve any file / code. Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted January 29, 2010 Share Posted January 29, 2010 I'll guess this is under php4? No php setting has any direct bearing on the safety of a script because it is the programmer's responsibility to validate data his script receives. However, under php4, having allow_url_fopen ON allows include('some_URL_that_a_hacker_fed_your_script') to cause external php code to be included and executed on the server, so as a knee-jerk reaction to a lack of coders validating data, some people might see that turning off the setting makes the server safer. If under php5, the relevant setting would be allow_url_include. Quote Link to comment Share on other sites More sharing options...
micah1701 Posted January 29, 2010 Author Share Posted January 29, 2010 Thanks premiso, that was the answer I was looking for! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.