1

I'm very weak in curl functions. I have a script which does hourly routines to update files among networked sites.

I have three concerns:

  1. Efficiency
  2. Accuracy
  3. Security

Having tested it in some length, it will grab the 404's and save them as csv files, and then the validation afterward deletes them. But it would be better to reject a non-csv file flat out...even if its disguised as a .csv for malicious purposes.

On that note, I will be saving them to a special folder. Is there any way to hide executable (malicious) code in them? I figured I would keep this directory non-executable to ensure safety.

Here is the code: 

//check file exists first: 
if ( !$fp = curl_init( $url ) )
    return 'Symbiocard not found at this address ('.$url.'). Please upload manually.';

$ch = curl_init( $url );
curl_setopt( $ch, CURLOPT_NOBODY, 0 );
curl_setopt( $ch, CURLOPT_RETURNTRANSFER, 1 );
curl_setopt( $ch, CURLOPT_BINARYTRANSFER, 1 );
$raw = curl_exec( $ch );
curl_close( $ch );
if ( file_exists( $newfile ) ) {
    unlink( $newfile );
} //file_exists( $newfile )
$fp = fopen( $newfile, 'x' );
fwrite( $fp, $raw );
fclose( $fp );

$required_fields = array(
     'symbiostock_site',
    'admin_email',
    'symbiostock_version' 
);

I didn't past my validation / file writing code simply because I'd like to filter it on the CURL level.

THE QUESTION: How do I limit curl to only communicate with a genuine csv file (not a 404 or any other document at the supposed .csv location).

Improve this question
2
  • What exactly is the question ? Commented May 20, 2013 at 21:09
  • HAHA! Silly me. Let me update the post with a more clear question :D Commented May 20, 2013 at 21:12

1 Answer 1

Reset to default
1

You can not limit curl but you can check the response code before you write the file to csv. using curl_getinfo you can get full information about you request.

Example 

$info = curl_getinfo($ch);
if ($info['http_code'] == 200) {
    // Nice
} else {
    // Not Nice
}

Please note that f you get a 200 response or the mine type or extension is csv does not mean it a valid csv. You would still need to read each line and validate the content.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

This is helpful. I'll plug that in right away. So really I can abort if a 404 is thrown at me...which is good...but curl can't do any further validation than that?
Yeap ... you can .. curl is fast and has low memory footprint ... Just about if you don't get 200 and remember to follow links before redirection does not return 200
Just a note, this sped things up a little too and removed an error I was dealing with. Great solution thanks.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.