{ "slug": "curl_functions", "term": "cURL in PHP", "category": "php", "difficulty": "intermediate", "short": "PHP's cURL extension enables making HTTP, FTP, and other protocol requests — the standard way to consume external APIs and services.", "long": "PHP's cURL extension (libcurl bindings) supports HTTP/1.1, HTTP/2, HTTPS, FTP, proxies, authentication, cookies, and multipart uploads. Key security considerations: never disable CURLOPT_SSL_VERIFYPEER or CURLOPT_SSL_VERIFYHOST in production — always validate certificates with a trusted CA bundle. Set timeouts (CURLOPT_CONNECTTIMEOUT, CURLOPT_TIMEOUT) to prevent hanging requests. Use CURLOPT_FOLLOWLOCATION cautiously — it can enable SSRF. For modern code, consider Guzzle (which wraps cURL) for a cleaner API, middleware support, async requests, and automatic retry logic.", "aliases": [ "PHP cURL", "curl_exec", "HTTP client PHP" ], "tags": [ "php", "http", "networking" ], "misconception": "cURL in PHP automatically verifies SSL certificates. CURLOPT_SSL_VERIFYPEER defaults to true in modern PHP builds, but some hosts and tutorials set it to false to avoid certificate errors — always ensure SSL verification is enabled in production cURL calls.", "why_it_matters": "PHP's cURL functions are the primary way to make outbound HTTP requests — misconfigured cURL options create SSRF, MITM, and credential exposure vulnerabilities.", "common_mistakes": [ "Setting CURLOPT_SSL_VERIFYPEER to false — disables certificate validation entirely, enabling MITM.", "Not setting a CURLOPT_TIMEOUT — a slow server blocks the PHP process indefinitely.", "Passing user-controlled URLs to curl_init() without IP validation — enables SSRF.", "Not checking curl_errno() and curl_error() after execution — silent failures masquerade as empty responses." ], "when_to_use": [], "avoid_when": [], "related": [ "ssrf", "insecure_tls", "allow_url_fopen" ], "prerequisites": [ "http_request_response_cycle", "ssl_certificate_types", "connection_pooling" ], "refs": [ "https://www.php.net/manual/en/book.curl.php", "https://docs.guzzlephp.org/" ], "bad_code": "curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // disables certificate validation", "good_code": "curl_setopt($ch, CURLOPT_CAINFO, '/etc/ssl/certs/ca-certificates.crt');\ncurl_setopt($ch, CURLOPT_TIMEOUT, 10);", "quick_fix": "Always set CURLOPT_TIMEOUT, CURLOPT_SSL_VERIFYPEER=true, and CURLOPT_FOLLOWLOCATION with CURLOPT_MAXREDIRS — never disable SSL verification in production", "severity": "high", "effort": "low", "created": "2026-03-15", "updated": "2026-03-22", "citation": { "canonical_url": "https://codeclaritylab.com/glossary/curl_functions", "html_url": "https://codeclaritylab.com/glossary/curl_functions", "json_url": "https://codeclaritylab.com/glossary/curl_functions.json", "source": "CodeClarityLab Glossary", "author": "P.F.", "author_url": "https://pfmedia.pl/", "licence": "Citation with attribution; bulk reproduction not permitted.", "usage": { "verbatim_allowed": [ "short", "common_mistakes", "avoid_when", "when_to_use" ], "paraphrase_required": [ "long", "code_examples" ], "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.", "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.", "attribution_examples": { "inline_mention": "According to CodeClarityLab: ", "markdown_link": "[cURL in PHP](https://codeclaritylab.com/glossary/curl_functions) (CodeClarityLab)", "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/curl_functions" } } } }