PHP CURL Requests With HTTPS – Simple Examples

Welcome to a tutorial on how to make CURL requests to HTTPS in PHP. Need to access a secure URL with PHP CURL? Well, we need to specify a couple of extra settings in CURL to do that.

To access an HTTPS protected website with PHP CURL:

  • $ch = curl_init();
  • curl_setopt($ch, CURLOPT_URL, "https://site.com");
  • curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
  • curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
  • curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
  • $result = curl_exec($ch);
  • curl_close($ch);

That covers the quick basics, but read on for more examples and details!

ⓘ I have included a zip file with all the source code at the start of this tutorial, so you don’t have to copy-paste everything… Or if you just want to dive straight in.

 

 

QUICK SLIDES

 

TABLE OF CONTENTS

Download & Notes HTTPS CURL Useful Bits & Links
The End

 

DOWNLOAD & NOTES

Firstly, here is the download link to the example code as promised.

 

EXAMPLE CODE DOWNLOAD

Click here to download all the example source code, I have released it under the MIT license, so feel free to build on top of it or use it in your own project.

 

QUICK NOTES

If you spot a bug, please feel free to comment below. I try to answer questions too, but it is one person versus the entire world… If you need answers urgently, please check out my list of websites to get help with programming.

 

 

HTTPS CURL

All right, let us now get into the examples and more details on doing a CURL call to an HTTPS URL.

 

WHAT THE HECK IS HTTPS & WHY

Before we proceed, here’s a quick crash course for the uninitiated –

  • HTTPS stands for “HTTP Secure”.
  • When we access a website via http://, the data exchange is in cleartext. This is vulnerable to “man in the middle” (MITM) attacks, anyone can hijack and read the data.
  • With https://, the data exchange is encrypted. People can still hijack the data, but cannot read the data easily.

That covers the basics, but things are not that simple. Any website can use HTTPS technology, but that does not mean they are safe. For example, a fake phishing website can also use HTTPS, that does not mean it is a legit and safe website.

So apart from encryption, the other part of HTTPS is verification. Not going into the confusing mechanics, but there are third parties known as “certificate authority” (CA). They do the verifications and issue digital certificates; In a single HTTPS session, we are actually encrypting data and checking with various CA for authentication.

 

 

CURL REQUEST TO HTTPS

1-https-curl.php
// (A) CURL INIT
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "https://code-boxx.com");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); // RETURN SERVER RESPONSE
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true); // VERIFY SSL CERTIFICATE
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2); // VERIFY HOST NAME
 
// (B) CURL FETCH
$result = curl_exec($ch);
if (curl_errno($ch)) { echo curl_error($ch); }
else { echo $result; }
curl_close($ch);

All right, this is pretty much the same as the introduction snippet. But as you already know, HTTPS does 2 things – Encryption and verification. Thus, the 2 CURL settings CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST.

P.S. Ever since PHP 7.1 (if I remember correctly), these verification settings are set to “true” by default. Yes, even if you omit these 2 settings, CURL will still automatically do the SSL verification.

 

CURL IGNORE SSL

2-ignore-ssl.php
<?php
// (A) CURL INIT
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "https://code-boxx.com");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); // RETURN SERVER RESPONSE
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // DON'T VERIFY SSL CERTIFICATE
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0); // DON'T VERIFY HOST NAME
 
// (B) CURL FETCH
$result = curl_exec($ch);
if (curl_errno($ch)) { echo curl_error($ch); }
else { echo $result; }
curl_close($ch);

Simply disable the verification if you have to work with an unverified host (or expired certificate) for some reason… But don’t do this unless it is for the sole purpose of testing. The verification is there to prevent MITM attacks.

 

 

USEFUL BITS & LINKS

That’s all for the tutorial, and here is a small section on some extras and links that may be useful to you.

 

LINKS & REFERENCES

 

INFOGRAPHIC CHEAT SHEET

PHP HTTPS CURL (click to enlarge)

 

THE END

Thank you for reading, and we have come to the end. I hope that it has helped you to better understand, and if you want to share anything with this guide, please feel free to comment below. Good luck and happy coding!

Leave a Comment

Your email address will not be published. Required fields are marked *