Jump to content

Recommended Posts

Haven't done much with cURL, and nothing using PUT or DELETE methods.

 

Would appreciate any comments on the following script.  It is based on cutting and pasting from several sources, and some review of the manual.

 

Particularly, let me know if I am sending data for PUT and DELETE methods correctly.  Also, whether my use of CURLOPT_SSL_VERIFYPEER is correct (it doesn't seem to work with SSL without it).

 

Thanks

protected function CallAPI($method, $url,array $options, $data = false)
{
    $options = array(
        CURLOPT_RETURNTRANSFER => true,     // return web page
        CURLOPT_HEADER         => false,    // don't return headers
        CURLOPT_FOLLOWLOCATION => true,     // follow redirects
        CURLOPT_ENCODING       => "",       // handle all encodings
        CURLOPT_USERAGENT      => "unknown",// who am i
        CURLOPT_AUTOREFERER    => true,     // set referrer on redirect
        CURLOPT_CONNECTTIMEOUT => 120,      // timeout on connect
        CURLOPT_TIMEOUT        => 120,      // timeout on response
        CURLOPT_MAXREDIRS      => 10,       // stop after 10 redirects
        CURLOPT_SSL_VERIFYPEER => false     // Disabled SSL Cert checks
        );
    //Optional authentication
    if (isset($options[CURLOPT_USERPWD])) {$options[CURLOPT_HTTPAUTH]=CURLAUTH_BASIC;}
    switch (strtolower($method)) {
        case "get":
            if ($data) {$url = sprintf("%s?%s", $url, http_build_query($data));}
            break;
        case "post":
            $options[CURLOPT_POST]=1;
            if ($data) {$options[CURLOPT_POSTFIELDS]=$data;}
            break;
        case "put":
            $options[CURLOPT_PUT]=1;
            $options[CURLOPT_CUSTOMREQUEST]="PUT";
            if ($data) {$options[CURLOPT_POSTFIELDS]=http_build_query($data);}
            break;
        case "delete":
            //$options[CURLOPT_DELETE]=1;
            $options[CURLOPT_CUSTOMREQUEST]="DELETE";
            if ($data) {$options[CURLOPT_POSTFIELDS]=http_build_query($data);}
            break;
        default:trigger_error("Invalid HTTP method.", E_USER_ERROR);
    }
    $options[CURLOPT_URL]=$url;
    $ch      = curl_init();
    curl_setopt_array( $ch, $options );
    $content = curl_exec( $ch );
    $err     = curl_errno( $ch );
    $errmsg  = curl_error( $ch );
    $results  = curl_getinfo( $ch );
    curl_close( $ch );

    $results['errno']   = $err;
    $results['errmsg']  = $errmsg;
    $results['content'] = $content;
    return $results;
}


Without certificate verification (CURLOPT_SSL_VERIFYPEER), HTTPS is a joke and a waste of energy. The whole point of encrypting the HTTP traffic is that only one specific peer can read it. If you don't verify that peer, the whole exercise is useless.

 

If you don't want HTTPS, use plain HTTP. If you do want HTTPS, you must enable certificate verification. Problems usually come from not providing the trusted certificates.

 

Your $options parameter is also useless, because you immediately overwrite it in the function. I guess what you actually want to do is merge the arrays.

Yes, I definitely want SSL, and will get rid of CURLOPT_SSL_VERIFYPEER.

 

Did the other settings look reasonable?  Particularly related to SSL and how data was send for PUT and DELETE?

 

Yea, I originally was using array_merge(), but was troubleshooting and forgot to put it back.  I'm also thinking passing a "debug" flag to CallAPI, and only returning all the extra info if it is set

Yes, I definitely want SSL, and will get rid of CURLOPT_SSL_VERIFYPEER.

 

You must enable it, not get rid of it. You want peer verification.

 

 

 

Did the other settings look reasonable?  Particularly related to SSL and how data was send for PUT and DELETE?

  • It does't make sense to silently override the authentication method with CURLAUTH_BASIC. What if you (or whoever uses the function) has already set a different method?
  • Your handling of URL parameters is odd. If the method is GET, the caller of your function must not include a query in the URL (because that will result in a nonsense URL), but for all other methods you do expect the caller to put the query into the URL. Pick one. Or parse the URL so that the function doesn't screw up URLs with a predefined query.
  • You also cannot handle multiple parameters with the same name. Consider supporting arrays as parameter values.
  • The DELETE method cannot have parameters in the request body (well, it technically can, but they're ignored).
  • Are you sure the parameters of the PUT method must be manually URL-encoded? Why not an array?

Thanks Jacques1,  I will spend a little time looking into each of your responses.

 

By the way, array_merge() won't work.

Values in the input array with numeric keys will be renumbered with incrementing keys starting from zero in the result array.

 

 

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.