libcurl-tutorial.3

THIS IS HTTP CURL Example

.IP "FTP Custom Commands"

Not all protocols are HTTP-like, and thus the above may not help you when
you want to make for example your FTP transfers to behave differently.

Sending custom commands to a FTP server means that you need to send the
commands exactly as the FTP server expects them (RFC959 is a good guide
here), and you can only use commands that work on the control-connection
alone. All kinds of commands that requires data interchange and thus needs
a data-connection must be left to libcurl's own judgment. Also be aware
that libcurl will do its very best to change directory to the target
directory before doing any transfer, so if you change directory (with CWD
or similar) you might confuse libcurl and then it might not attempt to
transfer the file in the correct remote directory.

A little example that deletes a given file before an operation:

.nf
 headers = curl_slist_append(headers, "DELE file-to-remove");

 /* pass the list of custom commands to the handle */
 curl_easy_setopt(easyhandle, CURLOPT_QUOTE, headers);

 curl_easy_perform(easyhandle); /* transfer ftp data! */

 curl_slist_free_all(headers); /* free the header list */
.fi

If you would instead want this operation (or chain of operations) to happen
_after_ the data transfer took place the option to \fIcurl_easy_setopt(3)\fP
would instead be called CURLOPT_POSTQUOTE and used the exact same way.

The custom FTP command will be issued to the server in the same order they are
added to the list, and if a command gets an error code returned back from the
server, no more commands will be issued and libcurl will bail out with an
error code (CURLE_QUOTE_ERROR). Note that if you use CURLOPT_QUOTE to send
commands before a transfer, no transfer will actually take place when a quote
command has failed.

If you set the CURLOPT_HEADER to true, you will tell libcurl to get
information about the target file and output "headers" about it. The headers
will be in "HTTP-style", looking like they do in HTTP.

The option to enable headers or to run custom FTP commands may be useful to
combine with CURLOPT_NOBODY. If this option is set, no actual file content
transfer will be performed.

.IP "FTP Custom CUSTOMREQUEST"
If you do what list the contents of a FTP directory using your own defined FTP
command, CURLOPT_CUSTOMREQUEST will do just that. "NLST" is the default one
for listing directories but you're free to pass in your idea of a good
alternative.

.SH "Cookies Without Chocolate Chips"
In the HTTP sense, a cookie is a name with an associated value. A server sends
the name and value to the client, and expects it to get sent back on every
subsequent request to the server that matches the particular conditions
set. The conditions include that the domain name and path match and that the
cookie hasn't become too old.

In real-world cases, servers send new cookies to replace existing one to
update them. Server use cookies to "track" users and to keep "sessions".

Cookies are sent from server to clients with the header Set-Cookie: and
they're sent from clients to servers with the Cookie: header.

To just send whatever cookie you want to a server, you can use CURLOPT_COOKIE
to set a cookie string like this:

 curl_easy_setopt(easyhandle, CURLOPT_COOKIE, "name1=var1; name2=var2;");

In many cases, that is not enough. You might want to dynamically save
whatever cookies the remote server passes to you, and make sure those cookies
are then use accordingly on later requests.

One way to do this, is to save all headers you receive in a plain file and
when you make a request, you tell libcurl to read the previous headers to
figure out which cookies to use. Set header file to read cookies from with
CURLOPT_COOKIEFILE.

The CURLOPT_COOKIEFILE option also automatically enables the cookie parser in
libcurl. Until the cookie parser is enabled, libcurl will not parse or
understand incoming cookies and they will just be ignored. However, when the
parser is enabled the cookies will be understood and the cookies will be kept
in memory and used properly in subsequent requests when the same handle is
used. Many times this is enough, and you may not have to save the cookies to
disk at all. Note that the file you specify to CURLOPT_COOKIEFILE doesn't
have to exist to enable the parser, so a common way to just enable the parser
and not read able might be to use a file name you know doesn't exist.

If you rather use existing cookies that you've previously received with your
Netscape or Mozilla browsers, you can make libcurl use that cookie file as
input. The CURLOPT_COOKIEFILE is used for that too, as libcurl will
automatically find out what kind of file it is and act accordingly.

The perhaps most advanced cookie operation libcurl offers, is saving the
entire internal cookie state back into a Netscape/Mozilla formatted cookie
file. We call that the cookie-jar. When you set a file name with
CURLOPT_COOKIEJAR, that file name will be created and all received cookies
will be stored in it when \fIcurl_easy_cleanup(3)\fP is called. This enabled
cookies to get passed on properly between multiple handles without any
information getting lost.

.SH "FTP Peculiarities We Need"

FTP transfers use a second TCP/IP connection for the data transfer. This is
usually a fact you can forget and ignore but at times this fact will come
back to haunt you. libcurl offers several different ways to custom how the
second connection is being made.

libcurl can either connect to the server a second time or tell the server to
connect back to it. The first option is the default and it is also what works
best for all the people behind firewalls, NATs or IP-masquerading setups.
libcurl then tells the server to open up a new port and wait for a second
connection. This is by default attempted with EPSV first, and if that doesn't
work it tries PASV instead. (EPSV is an extension to the original FTP spec
and does not exist nor work on all FTP servers.)

You can prevent libcurl from first trying the EPSV command by setting
CURLOPT_FTP_USE_EPSV to FALSE.

In some cases, you will prefer to have the server connect back to you for the
second connection. This might be when the server is perhaps behind a firewall
or something and only allows connections on a single port. libcurl then
informs the remote server which IP address and port number to connect to.
This is made with the CURLOPT_FTPPORT option. If you set it to "-", libcurl
will use your system's "default IP address". If you want to use a particular
IP, you can set the full IP address, a host name to resolve to an IP address
or even a local network interface name that libcurl will get the IP address
from.

When doing the "PORT" approach, libcurl will attempt to use the EPRT and the
LPRT before trying PORT, as they work with more protocols. You can disable
this behavior by setting CURLOPT_FTP_USE_EPRT to FALSE.

.SH "Headers Equal Fun"

Some protocols provide "headers", meta-data separated from the normal
data. These headers are by default not included in the normal data stream,
but you can make them appear in the data stream by setting CURLOPT_HEADER to
TRUE.

What might be even more useful, is libcurl's ability to separate the headers
from the data and thus make the callbacks differ. You can for example set a
different pointer to pass to the ordinary write callback by setting
CURLOPT_WRITEHEADER.

Or, you can set an entirely separate function to receive the headers, by
using CURLOPT_HEADERFUNCTION.

The headers are passed to the callback function one by one, and you can
depend on that fact. It makes it easier for you to add custom header parsers
etc.

\&"Headers" for FTP transfers equal all the FTP server responses. They aren't
actually true headers, but in this case we pretend they are! ;-)

.SH "Post Transfer Information"

 [ curl_easy_getinfo ]

.SH "Security Considerations"

libcurl is in itself not insecure. If used the right way, you can use libcurl
to transfer data pretty safely.

There are of course many things to consider that may loosen up this
situation:

.IP "Command Lines"
If you use a command line tool (such as curl) that uses libcurl, and you give
option to the tool on the command line those options can very likely get read
by other users of your system when they use 'ps' or other tools to list
currently running processes.

To avoid this problem, never feed sensitive things to programs using command
line options.

.IP ".netrc"
\&.netrc is a pretty handy file/feature that allows you to login quickly and
automatically to frequently visited sites. The file contains passwords in
clear text and is a real security risk. In some cases, your .netrc is also
stored in a home directory that is NFS mounted or used on another network
based file system, so the clear text password will fly through your network
every time anyone reads that file!

To avoid this problem, don't use .netrc files and never store passwords in
plain text anywhere.

.IP "Clear Text Passwords"
Many of the protocols libcurl supports send name and password unencrypted as
clear text (HTTP Basic authentication, FTP, TELNET etc). It is very easy for
anyone on your network or a network nearby yours, to just fire up a network
analyzer tool and eavesdrop on your passwords. Don't let the fact that HTTP
uses base64 encoded passwords fool you. They may not look readable at a first
glance, but they very easily "deciphered" by anyone within seconds.

To avoid this problem, use protocols that don't let snoopers see your
password: HTTPS, FTPS and FTP-kerberos are a few examples. HTTP Digest
authentication allows this too, but isn't supported by libcurl as of this
writing.

.IP "Showing What You Do"
On a related issue, be aware that even in situations like when you have
problems with libcurl and ask someone for help, everything you reveal in order
to get best possible help might also impose certain security related
risks. Host names, user names, paths, operating system specifics etc (not to
mention passwords of course) may in fact be used by intruders to gain
additional information of a potential target.

To avoid this problem, you must of course use your common sense. Often, you
can just edit out the sensitive data or just search/replace your true
information with faked data.

.SH "Multiple Transfers Using the multi Interface"

The easy interface as described in detail in this document is a synchronous
interface that transfers one file at a time and doesn't return until its
done.

The multi interface on the other hand, allows your program to transfer
multiple files in both directions at the same time, without forcing you to
use multiple threads.

To use this interface, you are better off if you first understand the basics
of how to use the easy interface. The multi interface is simply a way to make
multiple transfers at the same time, by adding up multiple easy handles in to
a "multi stack".

You create the easy handles you want and you set all the options just like you
have been told above, and then you create a multi handle with
\fIcurl_multi_init(3)\fP and add all those easy handles to that multi handle
with \fIcurl_multi_add_handle(3)\fP.

When you've added the handles you have for the moment (you can still add new
ones at any time), you start the transfers by call
\fIcurl_multi_perform(3)\fP.

\fIcurl_multi_perform(3)\fP is asynchronous. It will only execute as little as
possible and then return back control to your program. It is designed to never
block. If it returns CURLM_CALL_MULTI_PERFORM you better call it again soon,
as that is a signal that it still has local data to send or remote data to
receive.

The best usage of this interface is when you do a select() on all possible
file descriptors or sockets to know when to call libcurl again. This also
makes it easy for you to wait and respond to actions on your own application's
sockets/handles. You figure out what to select() for by using
\fIcurl_multi_fdset(3)\fP, that fills in a set of fd_set variables for you
with the particular file descriptors libcurl uses for the moment.

When you then call select(), it'll return when one of the file handles signal
action and you then call \fIcurl_multi_perform(3)\fP to allow libcurl to do
what it wants to do. Take note that libcurl does also feature some time-out
code so we advice you to never use very long timeouts on select() before you
call \fIcurl_multi_perform(3)\fP, which thus should be called unconditionally
every now and then even if none of its file descriptors have signaled
ready. Another precaution you should use: always call
\fIcurl_multi_fdset(3)\fP immediately before the select() call since the
current set of file descriptors may change when calling a curl function.

If you want to stop the transfer of one of the easy handles in the stack, you
can use \fIcurl_multi_remove_handle(3)\fP to remove individual easy
handles. Remember that easy handles should be \fIcurl_easy_cleanup(3)\fPed.

When a transfer within the multi stack has finished, the counter of running
transfers (as filled in by \fIcurl_multi_perform(3)\fP) will decrease. When
the number reaches zero, all transfers are done.

\fIcurl_multi_info_read(3)\fP can be used to get information about completed
transfers. It then returns the CURLcode for each easy transfer, to allow you
to figure out success on each individual transfer.

.SH "SSL, Certificates and Other Tricks"

 [ seeding, passwords, keys, certificates, ENGINE, ca certs ]

.SH "Sharing Data Between Easy Handles"

 [ fill in ]

.SH "Footnotes"

.IP "[1]"
libcurl 7.10.3 and later have the ability to switch over to chunked
Transfer-Encoding in cases were HTTP uploads are done with data of an unknown
size.
.IP "[2]"
This happens on Windows machines when libcurl is built and used as a
DLL. However, you can still do this on Windows if you link with a static
library.
.IP "[3]"
The curl-config tool is generated at build-time (on unix-like systems) and
should be installed with the 'make install' or similar instruction that
installs the library, header files, man pages etc.