0

I want to turn OFF allow_url_fopen for security reasons. If I turn it off, I cannot use file_get_contents.

I'm using file_get_contents with php://input and URL. as I need to get the POST data with it. Something like this:

$postData = file_get_contents('php://input'); // Example 1
$postData2 = file_get_contents('https://www.google.com/recaptcha/api/siteverify', false, $context); // Example 2

Is there any way I can get the POST data by using CURL or any other secure way?

baileyJchoi
  • 473
  • 5
  • 17
  • 3
    using cURL for reading your incoming POST data makes no sense - that's for making outgoing HTTP requests to a remote server. It has nothing to do with the request that PHP is currently responding to. I'm assuming maybe you can't just use $_POST to get the data? Perhaps you have JSON coming in or something instead of form data? – ADyson Dec 14 '18 at 15:20
  • @ADyson sorry im new to this. Im trying to get the POST data from Stripe webhook - https://gist.github.com/boucher/1708172 – baileyJchoi Dec 14 '18 at 15:34
  • If you're running the code in that Git page, then yes it looks like you've got JSON coming in. Not sure you've got much option here, you need `php://input` I'm afraid, at least as far as I'm aware there's no workaround in that scenario. – ADyson Dec 14 '18 at 15:48
  • @ADyson Darn it. does that mean users can pass malicious files with it like this? https://stackoverflow.com/questions/24049534/is-allow-url-fopen-safe – baileyJchoi Dec 14 '18 at 15:54
  • 1
    Only if you use file_get_contents() elsewhere in your code in a way that's unsafe (e.g. you make a call to file_get_contents where the URL (or some part of it) is taken from user input which you haven't checked and sanitised beforehand. Using it just for reading from `php://input` is not, in itself, unsafe. And using it to fetch the content of hard-coded URLs or filenames (or if not hard-coded, taken from somewhere where outside input cannot be incorporated into it) is not unsafe either by itself. – ADyson Dec 14 '18 at 15:58

0 Answers0