From ee43f8c37dc51ecd1b88d3d89a102914b0a7d85b Mon Sep 17 00:00:00 2001
From: programmin1 <lb1programmer@users.sourceforge.net>
Date: Wed, 13 Jan 2021 20:37:39 -0800
Subject: [PATCH] Revised SSL

This seems to be outdated and old, inaccurate. At least where I've tested it here.
---
 book/lang/en/source/Input-Validation.rst | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/book/lang/en/source/Input-Validation.rst b/book/lang/en/source/Input-Validation.rst
index e6531c9..390b693 100644
--- a/book/lang/en/source/Input-Validation.rst
+++ b/book/lang/en/source/Input-Validation.rst
@@ -202,7 +202,7 @@ Due to a widespread perception that encryption prevents MITM attacks, many appli
 
     $body = file_get_contents('https://api.example.com/search?q=sphinx');
 
-The above suffers from an obvious MITM vulnerability and any data resulting from such a HTTPS request can never be considered as representing a response from the intended service. This request should have been made by enabling server verification as follows:
+The above suffers from an obvious MITM vulnerability on SOME systems, and any data resulting from such a HTTPS request can never be considered as representing a response from the intended service. This request should have been made by enabling server verification as follows:
 
 .. code-block:: php
     :linenos:
@@ -210,6 +210,14 @@ The above suffers from an obvious MITM vulnerability and any data resulting from
     $context = stream_context_create(array('ssl' => array('verify_peer' => TRUE)));
     $body = file_get_contents('https://api.example.com/search?q=sphinx', false, $context);
 
+On other systems such as php8 on Ubuntu 18.04, and the default PHP7.2 on Ubuntu 18.04, this is not necessary, and the following test will give an exception as it should:
+
+.. code-block:: php
+    :linenos:
+
+    $body = file_get_contents('https://wrong.host.badssl.com/');
+
+
 Returning to sanity, the cURL extension does enable server verification out of the box so no option setting is required. However, programmers may demonstrate the following crazy approach to securing their libraries and applications. This one is easy to search for in any libraries your web application will depend on.
 
 .. code-block:: php
@@ -223,4 +231,4 @@ Web applications can often behave as a proxy for user actions, e.g. acting as a
 Conclusion
 ==========
 
-TBD
\ No newline at end of file
+TBD