Code needs updates for revised Flickr API
Closed this issue · 6 comments
Flickr has made a couple of changes to its API that break the current code and example. The API now requires SSL. Modify phpFlickr.php by adding the following two lines after line 227:
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 0);
The response has also changed and example.php does not work. Replace code in example.php with the following:
$apiKey = "yourKey";
require_once("phpFlickr.php");
$f = new phpFlickr($apiKey);
$response = $f->photos_getRecent();
//check that response is array
echo "response: " . gettype($response) . "
";
ListResponseElements($response);
function ListResponseElements($response, $indent = "") {
$indent .= " ";
foreach ($response as $key => $value) {
if (is_array($value)) {
echo "$indent array: $key; Count: " . count($value) . "
";
ListResponseElements($value, $indent);
}
else {
//list non-array elements
echo "$indent key: $key; value: $value
";
}
}
}
When i use photosets_getList in this example, i get response: boolean. Is it possible that i need to change something in the script?
I wouldn't have got this working without this comment - thanks!
However it does produce a slight security hole as described here: https://learntech.imsu.ox.ac.uk/blog/?p=981
The short version is that you should supply a Certificate bundle to CURL instead of turning SSL verification off.
Phil –
Were you able successfully implement a curl certificate bundle? I downloaded the .pem file and included the curl option CURLOPT_CAINFO in my script as suggested in the article you referenced. I receive same message I received prior to disabling VerifyPeer and VerifyHost:
SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
According to this post CURLOPT_CAINFO essentially implements curl’s default behavior.
http://security.stackexchange.com/questions/60696/curl-cert-validation-with-curlopt-cainfo-not-working
My code after line 227 of phpFlickr.php is as follows:
$CertBundlePath = realpath("includes/cacert.pem");
curl_setopt($curl, CURLOPT_CAINFO, $CertBundlePath);
//curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 0);
//curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 0);
$response = curl_exec($curl);
if (curl_errno($curl)) {
echo 'Curl error: ' . curl_error($curl);
}
curl_close($curl);
Thanks,
Chris
From: Phil Banks [mailto:notifications@github.com]
Sent: Monday, June 01, 2015 5:26 AM
To: dan-coulter/phpflickr
Cc: Chris Sandvig
Subject: Re: [phpflickr] Code needs updates for revised Flickr API (#57)
I wouldn't have got this working without this comment - thanks!
However it does produce a slight security hole as described here: https://learntech.imsu.ox.ac.uk/blog/?p=981
The short version is that you should supply a Certificate bundle to CURL instead of turning SSL verification off.
—
Reply to this email directly or view it on GitHubhttps://github.com//issues/57#issuecomment-107421984.
Hi Chris,
I'm working on something else at the moment and haven't fully implimented this - but it si being used by a WordPress plugin I use called Flickr Justified Gallery, the cURL statement looks like:
$curl = curl_init($this->rest_endpoint);
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_POSTFIELDS, $data);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_CAINFO, dirname(__FILE__) . "/cacert.pem");
$response = curl_exec($curl);
if ($response === false) {
die('CURL error: "' . curl_error($curl) . '"');
}
curl_close($curl);
It looks like you're impliementing it in the same way. My only query would be the realpath() function, I've not used it before, so I'd check by dumping the output - as in put a test.php in the same directory with just:
<?php
var_dump(realpath("includes/cacert.pem"));
and see is the path it outputs is correct. Sorry I can't be more help! I'll try and remember to come back and update this when I finish setting it up myself in case I find anything else.
Chris - just one more thing - you could always try explicitely specifiying that it should do the SSL verification with:
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
All the best,
Phil
Dear csandvig, could you help me updating the original example.php from phpFlickr ?
Its not working yet:
foreach ($recent['photos'] as $photo) {
if(is_array($photo)) {
$owner = $f->people_getInfo($photo['owner']);
echo "<a href='https://www.flickr.com/photos/" . $photo['owner'] . "/" . $photo['id'] . "/'>";
echo $photo['title'];
echo "</a> Owner: ";
echo "<a href='https://www.flickr.com/people/" . $photo['owner'] . "/'>";
echo $owner['username'];
echo "</a><br>";
}
}
thanks !