Here’s my problem:
function parse_xml_to_json($url) { $fileContents = file_get_contents($url); $simpleXml = simplexml_load_string($fileContents, null , LIBXML_NOCDATA); $json = json_encode($simpleXml); return $json; } $jsonto = parse_xml_to_json('myxmlfile.html'); echo $jsonto;
Essentially I need to use an XML file from an external source and loop it through to display nicely some data.
I created a function that gets content from the external URL (file_get_contents), then I turn the string of XML into an object (I use LIBXML_NOCDATA as a parameter because it contains ), right after I turn the object into a JSON file and for the very last step, I echo the result.
So far so good, it worked but I’m wondering if I can do anything if the XML file contains a malicious script or else.
Is the function simplexml_load_string and then the JSON encode enough to prevent a malicious script or an invalid XML?
Advertisement
Answer
You code is prone to a Denial of Service (DOS) attack.
$fileContents = file_get_contents($url);
This can blow your memory limit. Or come close to, while taking a long time (the server you request the data from stales in the middle after providing a lot of content – and then only some little bytes each couple of seconds). So your script will “hang” while consuming the memory.
If the script can then be triggered with another HTTP request multiple times, this can consume your servers resources (the echo statement suggests this is entirely possible).