原文网址:https://www.youyong.top/article/1158dfb6eb3e
踩到一个php curl的坑
原文网址:https://www.youyong.top/article/1158dfb6eb3e
$aPost = array(
'file' => "@".$localFile,
'default_file' => 'html_version.html',
'expiration' => (2*31*24*60*60)
)
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $apiurl);
curl_setopt($ch, CURLOPT_TIMEOUT, 120);
curl_setopt($ch, CURLOPT_BUFFERSIZE, 128);
curl_setopt($ch, CURLOPT_POSTFIELDS, $aPost);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$sResponse = curl_exec ($ch);- 显然上面代码 采用
file => @ . realpath(xxx)方式看似没问题,也是大家常用上传方法。 - 但是php5.6 @realpath 这样方法突然失效,server 接到不到post 的临时文件。
- 问题在 stackoverflow 上找到了答案
Actually I found the answer while starting the question. There is a new Variable included with curl in PHP 5.5: CURLOPT_SAFE_UPLOAD this is set to false by default in PHP 5.5 and is switched to a default of true in PHP 5.6.
This will prevent the '@' upload modifier from working for security reasons - user input could contain malicious upload requests. You can use the CURLFile class to upload files while CURLOPT_SAFE_UPLOAD is set to true or (if you're sure your variables are safe you can switch the CURLOPT_SAFE_UPLOAD to false manually):
curl_setopt($ch, CURLOPT_SAFE_UPLOAD, false);
PHP 5.5另外引入了CURL_SAFE_UPLOAD选项,可以强制PHP的cURL模块拒绝旧的@语法,仅接受CURLFile式的文件。5.5的默认值为false,5.6的默认值为true。Are you fuck kidding me?!
解决方法
- 最优解当然是保持php各环境版本统一,建议是最新稳定版
- 次优解是:
if (class_exists('\CURLFile')) { $field = array('fieldname' => new \CURLFile(realpath($filepath))); } else { $field = array('fieldname' => '@' . realpath($filepath)); }代码应该回归本源。我们的实际需求其实是:有CURLFile就优先采用,没有再退化到传统@语法
- 最lowB的解:
if (version_compare(phpversion(), '5.4.0') >= 0)版本号莫名其妙的出现在代码之中,不查半天PHP手册和更新历史,很难明白作者被卡在了哪个功能的变更上。
查找官方根源
- 打开http://php.net/manual/zh/function.curl-setopt.php(中文版) ctrl+F CURLOPT_SAFE_UPLOAD, 没找到!
- 打开http://php.net/manual/en/function.curl-setopt.php (英文版) 同样查找 终于找到了
- 果然如上所说php5.6默认不支持@ curl上传了,用curlFile代替了。啃爹的是中文文档没记录!@phpGroup @鸟哥 管不管?
