CurlFile and the Facebook SDK in PHP 5.5

Posted: 2013-08-29
Category: PHP

One of the features implemented in PHP 5.5 was CurlFile, a nice addition to the Curl extension to allow you to specify specific arguments as a file for upload.

In previous versions (pre-PHP 5.5) the syntax looked like this:

$facebook->api("/me/photos", 'POST', [
    'source' => '@/foo/bar.jpg',
    'message' => $message,

If you're lucky enough to be working with PHP 5.5 that code will throw a deprecated warning:

curl_setopt_array(): The usage of the @filename API for file uploading is deprecated. Please use the CURLFile class instead

I have an error handler which will throw any warnings/notices/etc as ErrorException to help me debug stuff locally and on my testing servers, and this was something that started happening. A little digging around lead me to try this syntax:

$facebook->api("/me/photos", 'POST', [
    'source' => new CURLFile('/foo/bar.jpg', 'image/jpeg'),
    'message' => $message,

Sadly while Curl was happy with this, the Facebook PHP SDK (v3.2.2) was not. It turns out the SDK will turn ANY value you send it in that params array into a string. Meaning this was being sent up:

array(4) { 'source' => string(70) "{"name":"\/foo\/bar.jpg","mime":"image\/jpeg","postname":""}" 'message' => string(20) "This is another test" 'method' => string(4) "POST" 'access_token' => string(214) "sneakysneaky" }

So, the CurlFile instance was being converted to JSON. Not helpful.

I fixed this up with a super-simple pull request which will hopefully be merged and be released as v3.2.3, as we can't have the Facebook SDK just not work with PHP 5.5.

If you'd like to use my fork in the mean-time, just shove this in your composer.json and run a composer update:

    "repositories": [
            "type": "vcs",
            "url": ""

This is not a fault with the Facebook SDK directly and I'm going to patch any other libraries I come across with this issue. If you're using PHP 5.5 please do the same with anything you come across and others won't have to worry about this at all.

P.S If anyone is wondering about the usefulness of CurlFile, have you remembered to protect your user-contributed inputs to make them not start with @? If you don't, somebody creating a caption with "@Phil Hey Buddy!" will try to upload a file from your server called "Phil Hey Buddy!". There are more than a few security implications there, so forcing people to wrap their file uploads up is going to save a lot of problems. If you're still on PHP 5.4 do something like this:

(substr($message, 0, 1) === '@') and $message = '.'.$message;


Bram Van Der Sype


Hi Phil, thanks for sharing.

I'm very interested in the "I have an error handler which will throw any warnings/notices/etc as ErrorException" bit. Have you ever written anything on it? Or could you provide a link with an implementation example? I've cursed multiple times at PHP for throwing errors instead of exceptions.

Norman S.


Hey Bram,

a basic snippet for that would be:

seterrorhandler(function($errno, $errstr, $errfile, $errline) { throw new ErrorException($errstr, 0, $errno, $errfile, $errline); });

Additionally you could customize the error message depending on $errno (ENOTICE, EWARNING, etc.) or something like that

Best regards

Claudio Romano


You're wrong when you say: "we can't have the Facebook SDK just not work with PHP 5.5"

I had the same problem and found a way to make it work. In my particular case, I'm making calls to the SDK from different classes (a few of those calls are build dynamically), so I couldn't change the code of those classes. I needed to fix it from inside the SDK.

Changing a few lines inside the base_facebook.php will make the trick. I have been running this code on a PHP 5.5 server for a few months publishing photos and albums, and everything is working ok.

Here is the code:

I'm sure facebook will fix this problem someday, but in the meantime this will get things work.

Posting comments after three months has been disabled.