isn't quite ashamed enough to present

jr conlin's ink stained banana

:: fopen_url, curl and You

As Valette noted, Dreamhost finally shut off allow_url_fopen (this is the PHP option that allows you to do stupid things like "open('http://evilhacker.com');" Oh sure, you may not intend to do that, but if you've got unassigned variables that's exactly what you're allowing folks to do).

i've got a slightly longer version of this post called PHP, CURL and You! that may be a little easier to read.

This, undoubtedly has a great many folks in a tizzy, but needlessly so. You've got a FAR more powerful replacement readily available in PHP's implementation of the curl library. This utterly amazing chunk of software gives you total and absolute control over your back end request.

Here's an example. Let's say that like Valette, you've got some remote site you're scraping data from. In the old, nasty, evil, icky way you could do:

$buffer=file_get_contents('http://example.com');

which would fetch the page into $buffer. But it would also hang your page for up to 30 seconds if http://example.com and God forbid they were to simply block robots and spiders from crawling their data.

Or God forbid the following:

<?php
include('http://example.com');
?>

Sure, that does get the contents of http://example.com, but it also tells your local machine to run whatever lurking evil crap may be in that page. What happens when example.com gets hacked and someone inserts a virus into the page? Bad things happen. Really bad things. Taste-testing electrical sockets, sorts of bad things. Picking up hitchhikers outside of penitentiaries and bringing them home for drinks and a gander at your collection of unlocked high power firearms, bad things.

Now, enter curl:
$curl_handle = curl_init();
// Where should we get the data?
curl_setopt ($curl_handle, CURLOPT_URL, 'http://example.com');
// This says not to dump it directly to the output stream, but instead
// have it return as a string.
curl_setopt ($curl_handle, CURLOPT_RETURNTRANSFER, 1);
// the following is optional, but you should consider setting it
// anyway. It prevents your page from hanging if the remote site is
// down.
curl_setopt ($curl_handle, CURLOPT_CONNECTTIMEOUT, 1);
// Now, YOU make the call.
$buffer = curl_exec($curl_handle);
// And tell it to shut down (when your done. You can always make more
// calls if you want.)
curl_close($curl_handle);
// This is where i'd probably do some extra checks on what i just got.
// Paranoia pays dividends.
print $buffer;

Yeah, it's a few more lines of code, but that's what subroutines are for. Thing is, there are tons of options you can set that literally control every aspect of the call, plus, it's far safer because you can only call out to a remote website explicitly. This means that when some hacker discovers an uninitialized variable that's being used inside of your code, they can't use it to load their own code and hijack your site.

(By the way, PLEASE add the following bit of code to your .htaccess file:
<ifmodule mod_php4.c>
php_flag register_globals off
</ifmodule>

This will break packages like phpNuke, and (older copies of) ATP, but that's good. It also means that the vunerabilities that those packages have are neutralized.

There, see? It's not so bad after all.

Blogs of note
personal Christopher Conlin USMC memoirs of hydrogen guy rhapsodic.org Henriette's Herbal Blog
geek ultramookie

Powered by WordPress
Hosted on Dreamhost.