14

I am making a web application in PHP and want to read content from another domain. It seems that my major options are fopen and curl.

What are the major differences between these two methods, especially regarding security and available options?

Does it matter if the url is an http or https site?

Josiah
  • 3,008
  • 1
  • 34
  • 45
Marco
  • 2,306
  • 2
  • 26
  • 43
  • The question is not so much what `fopen` can do, but what the HTTP/HTTPS stream wrappers can do. Check http://de.php.net/manual/en/wrappers.http.php – Gordon Feb 19 '10 at 13:49

2 Answers2

17

Curl uses external library and it has a lot more power to customizing the request - custom headers, generating POST request, uploading files. Everything you need I must say.

Fopen is limited to only just make a GET request of the url without any further customization.

As for security CURL is not influenced by security configuration in PHP (like forbidden fopen of remote URLS and such).

The both possibilities return you data which you can use in every possible way you want. If you make a security hole in your project, after getting the data is your fault after all.

Also I am not quite sure but I think that fopen cannot handle SSL (https) connections. Both fopen and CURL support SSL (as noted by Andy Shellam in a comment below).

bisko
  • 3,948
  • 1
  • 27
  • 29
  • 2
    fopen does support HTTPS providing you've compiled PHP against OpenSSL. – Andy Shellam Feb 19 '10 at 13:40
  • Thank you for the note, Andy! Now I know one more thing about PHP :) – bisko Feb 19 '10 at 22:08
  • 1
    It is possible to do POST request with fopen too. For example http://wezfurlong.org/blog/2006/nov/http-post-from-php-without-curl/ In my opinion curl is used where people want to get around PHP security settings, I personally have used only fopen and no problems so far. – Rauli Rajande Nov 01 '13 at 12:15
2

See What are the important differences between using fopen($url) and curl in PHP? for some security settings that affect fopen namely allow_url_include.

Also, note that with curl if you setopt CURLOPT_FOLLOWLOCATION then curl follows redirects to file:// to fetch data (still subject to open_basedir). Redirects to other schemes such as ftp:// could be worse (have not tested ftp://). Without that setopt curl does not follow redirects at all. fopen seems to work with 302 by default but only http:// -> http:// and not http:// -> file://.

Community
  • 1
  • 1
mar
  • 356
  • 1
  • 6