Issue
Having worked with several APIs I found out that almost all of them use curl to demonstrate a sample auth./not-auth. request.
My question is:
How dangerous would it be to use shell_exec( % some curl string % ); on a server in a production environment to make requests?
What exactly are the additional risks associated with that?
The system that PHP "natively" uses for requests is curl package which provides some wrapper for curl functionality and probably results in pure curl after compilation.
However, it's cumbersome & quite wordy when you write it.
I did some tests and shell_exec appears to work fine.
For instance, the following code returns results completely as expected. the $json is formatted perfectly well.
$res = shell_exec('curl "https://www.zohoapis.com/crm/v2/settings/profiles" -H "Authorization: Zoho-oauthtoken 1000.8cb99dxxxxxxxxxxxxx9be93.9b8xxxxxxxxxxxxxxxf"');
$json = json_decode($res, true);
var_dump( $json, $res );
Considering that the actual action that happens deep on server should be completely identical, neither there's any significant difference in process (there's no user input involved anyway, the data used is the same, etc.) I don't see any possible negative effect or any additional risks that might be incurred by use of shell_exec.
On the other hand, potential benefits would be quite significant.
Solution
That's quite some overhead (escapeshellarg, exec/proc_open) just to avoid a builtin API. There's quite a lot of CLI tools (ffmpeg, uno/soffice, …) you should prefer over quirky in-PHP implementations. Curl does not fall in that category.
If you don't want to use Guzzle or the more cross-languagey PHPRequests, then go for a simpler curl wrapper.
- See e.g. yesterdays reddit post for a basic variant.
Or even curl().php, which I use/made:
$res = curl($api_url)->httpheader(["Auth: …"])->exec();
See? Doesn't have to be obtuse. The class interface is merely just about avoiding the CURL_ prefixes and retaining existing function/option names. (Because, yes of course, the raw PHP curl API is awful.)
And you'll avoid hardcoding and repeating the auth key for different endpoints.
Answered By - mario Answer Checked By - David Marino (WPSolving Volunteer)
