Security of this cURL code

views:

answers:

Security of this cURL code

Although "slightly" related to a previous question, it is different. How "secure" is this code in terms of cURL? Are there any other "bits" that should/ought to be added. Note it is not being used to pass "sensitive" info.

$ch = curl_init("http://www.example.com/test.xml");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, 0);
$data = curl_exec($ch);
curl_close($ch);

Few things to note:

You should try/catch in case the http://www.example.com/test.xml gives an error, such as 404 or 500. In that case you probably want to raise a fatal error or have it dealt with in your app.
You should calculate the amount of data coming over the line. What if example.com decides (or is broken into) and test.xml becomes several gigabytes large? You app needs to deal with this, somehow.
You probably want to include some 30X header/ redirect logic. curl does follow a redirect, but in that case, you probably want the redirect logged so you can take measures in your app (change the location to the new location)
You should make very sure that curl_close() is always called. In case of fatal errors, memory overflowing and so on, you certainly don't want these sockets to remain opened.

Your code is not insecure, nor is it wrong. It just does not handle edge-cases and could be hardened.

berkes 2010-08-04 15:46:33

Thanks for that - really helpful

2010-08-06 05:37:49

ansaurus

tags:

views:

answers:

Security of this cURL code

related questions