search

dan-coulter / phpflickr

PHP Wrapper for the Flickr API
GNU General Public License v2.0
207 stars 128 forks source link

Code needs updates for revised Flickr API #57

Closed csandvig closed 2 years ago

csandvig commented 9 years ago

Flickr has made a couple of changes to its API that break the current code and example. The API now requires SSL. Modify phpFlickr.php by adding the following two lines after line 227:

curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 0); curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 0);

The response has also changed and example.php does not work. Replace code in example.php with the following:

$apiKey = "yourKey"; require_once("phpFlickr.php");

$f = new phpFlickr($apiKey);

$response = $f->photos_getRecent();

//check that response is array echo "response: " . gettype($response) . "
";

ListResponseElements($response);

function ListResponseElements($response, $indent = "") { $indent .= "    "; foreach ($response as $key => $value) { if (is_array($value)) { echo "$indent array: $key; Count: " . count($value) . "
"; ListResponseElements($value, $indent); } else { //list non-array elements echo "$indent key: $key; value: $value
"; } } }

bierens42 commented 9 years ago

When i use photosets_getList in this example, i get response: boolean. Is it possible that i need to change something in the script?

phlbnks commented 9 years ago

I wouldn't have got this working without this comment - thanks! However it does produce a slight security hole as described here: https://learntech.imsu.ox.ac.uk/blog/?p=981 The short version is that you should supply a Certificate bundle to CURL instead of turning SSL verification off.

csandvig commented 9 years ago

Phil –

Were you able successfully implement a curl certificate bundle? I downloaded the .pem file and included the curl option CURLOPT_CAINFO in my script as suggested in the article you referenced. I receive same message I received prior to disabling VerifyPeer and VerifyHost:

SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

According to this post CURLOPT_CAINFO essentially implements curl’s default behavior. http://security.stackexchange.com/questions/60696/curl-cert-validation-with-curlopt-cainfo-not-working

My code after line 227 of phpFlickr.php is as follows:

            $CertBundlePath = realpath("includes/cacert.pem");
            curl_setopt($curl, CURLOPT_CAINFO, $CertBundlePath);
            //curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 0);
            //curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 0);
             $response = curl_exec($curl);
            if (curl_errno($curl)) {
                 echo 'Curl error: ' . curl_error($curl);
            }
             curl_close($curl);

Thanks, Chris

From: Phil Banks [mailto:notifications@github.com] Sent: Monday, June 01, 2015 5:26 AM To: dan-coulter/phpflickr Cc: Chris Sandvig Subject: Re: [phpflickr] Code needs updates for revised Flickr API (#57)

I wouldn't have got this working without this comment - thanks! However it does produce a slight security hole as described here: https://learntech.imsu.ox.ac.uk/blog/?p=981 The short version is that you should supply a Certificate bundle to CURL instead of turning SSL verification off.

— Reply to this email directly or view it on GitHubhttps://github.com/dan-coulter/phpflickr/issues/57#issuecomment-107421984.

phlbnks commented 9 years ago

Hi Chris,

I'm working on something else at the moment and haven't fully implimented this - but it si being used by a WordPress plugin I use called Flickr Justified Gallery, the cURL statement looks like:

$curl = curl_init($this->rest_endpoint);
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_POSTFIELDS, $data);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_CAINFO, dirname(__FILE__) . "/cacert.pem");
$response = curl_exec($curl);
if ($response === false) {
    die('CURL error: "' . curl_error($curl) . '"');
}
curl_close($curl);

It looks like you're impliementing it in the same way. My only query would be the realpath() function, I've not used it before, so I'd check by dumping the output - as in put a test.php in the same directory with just:

<?php
var_dump(realpath("includes/cacert.pem"));

and see is the path it outputs is correct. Sorry I can't be more help! I'll try and remember to come back and update this when I finish setting it up myself in case I find anything else.

phlbnks commented 9 years ago

Chris - just one more thing - you could always try explicitely specifiying that it should do the SSL verification with:

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);

All the best, Phil

Milazzo commented 7 years ago

Dear csandvig, could you help me updating the original example.php from phpFlickr ? Its not working yet:

foreach ($recent['photos'] as $photo) {

if(is_array($photo)) {
    $owner = $f->people_getInfo($photo['owner']);
    echo "<a href='https://www.flickr.com/photos/" . $photo['owner'] . "/" . $photo['id'] . "/'>";
    echo $photo['title'];
    echo "</a> Owner: ";
    echo "<a href='https://www.flickr.com/people/" . $photo['owner'] . "/'>";
    echo $owner['username'];
    echo "</a><br>";
}

}

thanks !