1

Which would be more appropriate in terms of security?

In case of file_get_contents(), if any error occurs, it displays the url being called in the error msg which may be vulnerable.

Burkhard
  • 14,596
  • 22
  • 87
  • 108
sunben
  • 95
  • 2
  • 8
  • 1
    >>displays the url being called in the error msg<< you know, that you can set display errors off and you should do that on production server? – donald123 Sep 22 '14 at 09:39
  • 2
    both are secure but `curl` will give you options that `file_get_contents()` can't – jogesh_pi Sep 22 '14 at 09:39
  • yes as @jogesh_pi curl with give you more options, but you should really tell us what you are wanting to do. – Oliver Bayes-Shelton Sep 22 '14 at 09:40
  • possible duplicate of [PHP cUrl vs file\_get\_contents](http://stackoverflow.com/questions/11064980/php-curl-vs-file-get-contents) – David Jones Sep 22 '14 at 09:42
  • Yes, i missed the part that i could turn off error reporting. With that turned off, i can either use file_get_contents() or curl. Thanks. – sunben Sep 23 '14 at 11:39

3 Answers3

3

I think curl is more secure because if you're working with remote file with file_get_contents() you need to enable ‘allow_url_fopen’

reference :
http://25labs.com/alternative-for-file_get_contents-using-curl/
http://phpsec.org/projects/phpsecinfo/tests/allow_url_fopen.html

And continuing discussion from the comments in the question, yes cURL give you more option and if you want to check more you can see it in the documentation here
For file_get_contents() it just a simple GET request.

Niko Adrianus Yuwono
  • 11,012
  • 8
  • 42
  • 64
0
  • file_get_contents is only useful for GET requests
  • file_get_contents needs allow_url_fopen on to access remote sources

A URL can be used as a filename with this function if the fopen wrappers have been enabled. See fopen() for more details on how to specify the filename. See the Supported Protocols and Wrappers for links to information about what abilities the various wrappers have, notes on their usage, and information on any predefined variables they may provide.

  • You have way more options in your request using cURL. Take a look at setopt.

it displays the url being called in the error msg which may be vulnerable.

Turn off error reporting and ensure display_errors is deactivated. It may also be worthwhile to create your own handler to handle errors.

error_reporting(0);
ini_set('display_errors', 0);
ʰᵈˑ
  • 11,279
  • 3
  • 26
  • 49
  • 2
    cURL is still more powerful but file_get_contents supports stream contexts which allows it to do quite a lot actually, including any arbitrary method including POST. – ColinM Mar 03 '15 at 17:49
0

file_get_content can do post by stream_context_set_option, but, i think maybe curl more powerful.

ref:

Peter
  • 16,453
  • 8
  • 51
  • 77
defend orca
  • 617
  • 7
  • 17