I'm building an application that will send an http request to a url (I hope..) provided by a user.
Probably most of you will know this as a postback, callback or webhook.
However, I'm concerned about security, because the other server will send a response. That response might contain code or who knows what.
I've considered the following functions so far:
What is the most secure way of doing this, without opening up a security vulnerability?
You doesn't have a security problem in any case if you don't process the response of the server.
For example, when you use:
$url = 'http://www.example.com/testaddr';
$result = file_get_contents($url);
unset($result);
You have a variable with the data. But these data aren't processed yet.
With cURL, you can get the same approach with these options:
$url = 'http://www.example.com/testaddr';
$curl = curl_init();
curl_setopt ($curl, CURLOPT_URL, $url);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
$result = curl_exec($curl);
//If you need to check result, use this:
if (!curl_errno($curl)) {
$http_code = curl_getinfo($curl, CURLINFO_HTTP_CODE);
if ($http_code === 200) {
echo "OK";
} else {
echo 'Unexpected HTTP code: ', $http_code, "\n";
}
}
curl_close($curl);
unset($result);
In that case it's the same, you get the response on $result var, but, you didn't use it, in that case, it isn't a security failure.
Also, in both cases, for security reasons and prevent excessive memory usage, I delete the $result variable after finish the process.
As you can see on PHP doc:
CURLOPT_RETURNTRANSFER TRUE to return the transfer as a string of the return value of curl_exec() instead of outputting it out directly.