PHP libcurl example

libcurl In one of the sections on my “One Year of PHP at Yahoo!” talk I’m giving next week, I mention the security implications of the allow_url_fopen config setting.

I recommend that people set allow_url_fopen off, and instead use the libcurl extension to do server-side HTTP fetches.

Here’s a comparison of a simple HTTP fetch using both techniques.

allow_url_fopen = On

<?php

$str = file_get_contents("http://www.example.com/");

if ($str !== false) {

// do something with the content

$str = preg_replace("/apples/", "oranges", $str);

// avoid Cross-Site Scripting attacks

$str = strip_tags($str);

echo $str;

}

?>

allow_url_fopen = Off

<?php

$ch = curl_init("http://www.example.com/");

curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);

curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

$str = curl_exec($ch);

if ($str !== false) {

// do something with the content

$str = preg_replace("/apples/", "oranges", $str);

// avoid Cross-Site Scripting attacks

$str = strip_tags($str);

echo $str;

}

curl_close($ch);

?>

It’s not that much additional work to use the curl extension, and you shield all of your regular file I/O against the possibility of accidentally acting as an open proxy. You avoid having to scrutinize every usage of fopen(), readfile(), file_get_contents(), include(), require() and related functions for the possibility that they might be used with a URL.

How to scale PHP

oscon2003-speaker-125x125.gif With one week to spare, I’m finished with the slides for “One Year of PHP at Yahoo!,” a talk that I’m giving next week at the O’Reilly Open Source Conference in Portland.

The finished product is a quite a bit different than the abstract I submitted, but I think it’s a good thing. This talk ended up being much less about Yahoo! and much more about how to use PHP effectively in a high performance environment.

Here’s the new outline:

  1. Brief introduction to PHP
    • Where PHP fits in a web server architecture
  2. Scaling PHP
    • Five general techniques for high performance
  3. PHP Security
  4. Managing PHP
  5. Open Problems
    • Lessons learned after one year of PHP
  6. Q & A

Folks who come to the talk hoping to learn from an insider about how Yahoo! works are going to be disappointed. The PR group won’t let me give away any secrets this time. :-)

However, if you’re interested in seeing how PHP can be scaled to 1.9 billion pageviews a day, this talk is for you.

This talk is packed with content. I’ve got 30 slides but only 45 minutes of time. I’ll post the slides on Monday once I’ve got the final OK from PR.

[Update 8 July 2003: Slides for the talk are now available online.]