Re: [PHP] POST without POSTing

[Tommy Pham]

- Original Message 
 From: Daniel Brown danbr...@php.net
 To: Paul M Foster pa...@quillandmouse.com
 Cc: php-general@lists.php.net
 Sent: Wednesday, September 30, 2009 9:58:18 PM
 Subject: Re: [PHP] POST without POSTing
 
 On Thu, Oct 1, 2009 at 00:41, Paul M Foster wrote:
 
  fsockopen() appears to be part of the standard network functions in PHP,
  like the header() function. Do you mean that many hosts support the
  function (as part of PHP) but don't support its use with external hosts?
  Is there a way to determine this support from looking at phpinfo()?
 
 fsockopen() is a socket function, as the name suggests.  Hosts can
 disable the usage of sockets.  In fact, check Google and you'll see
 several folks complaining of their host having it disabled.

If the service provider uses jails on *BSD, then sockets are definitely 
disabled for security reasons.  They don't want you to hack into other people's 
jail(s) ;)

 
 As for fopen(), there's a php.ini value `allow_url_fopen` that a
 lot of hosts have set to 'no,' I'm sure with the intent to increase
 security but when you can still use cURL and exec('wget'), it kind
 of defeats the purpose.
 
 -- 
 
 daniel.br...@parasane.net || danbr...@php.net
 http://www.parasane.net/ || http://www.pilotpig.net/
 Check out our great hosting and dedicated server deals at
 http://twitter.com/pilotpig
 
 -- 
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, visit: http://www.php.net/unsub.php


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] POST without POSTing

[Kirk . Johnson]

Paul M Foster pa...@quillandmouse.com wrote on 09/30/2009 09:29:17 PM:

 [PHP] POST without POSTing
 
 Paul M Foster 
 
 to:
 
 php-general
 
 09/30/2009 09:31 PM
 
 I have a form that collects certain info via POST. It is re-entrant, so
 when the user hits the submit button, it checks the input and does
 whatever sanity checks it needs to. If all is okay, it must now pass
 some of that info to another URL (offsite) via POST. Normally, the
 information would be passed via a series of GET variables or SESSION
 variables. But in this case the site the user is being directed to must
 receive the information via POST.

Google posttohost rasmus. It's a classic from the Master at the turn of 
the century ;)

Kirk

Re: [PHP] POST without POSTing

[Paul M Foster]

On Wed, Sep 30, 2009 at 11:36:55PM -0400, Daniel Brown wrote:

 On Wed, Sep 30, 2009 at 23:29, Paul M Foster pa...@quillandmouse.com wrote:
 
  I'm not sure how to do this. Please no exotic external libraries my
  shared hosting provider doesn't include. RTFM will be fine; just tell me
  which Fine Manual to Read.
 
 Nothing too exotic at all, Paul.  Check out cURL:
 
 http://php.net/curl

Okay, I've figured out how to shove the data through cURL to the
receiving URL, but then it occurred to me that the client browser must
go there *as well*.

Will curl_exec() do that on its own, or is there a parameter I need to
feed it?

Paul

-- 
Paul M. Foster

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] POST without POSTing

[Daniel Brown]

On Thu, Oct 1, 2009 at 16:14, Paul M Foster pa...@quillandmouse.com wrote:

 Okay, I've figured out how to shove the data through cURL to the
 receiving URL, but then it occurred to me that the client browser must
 go there *as well*.

 Will curl_exec() do that on its own, or is there a parameter I need to
 feed it?

So you need to have the *client* post the information?  You may
want to look into a JavaScript solution, like an
onload/document.form.post action.

-- 
/Daniel P. Brown
daniel.br...@parasane.net || danbr...@php.net
http://www.parasane.net/ || http://www.pilotpig.net/
Check out our great hosting and dedicated server deals at
http://twitter.com/pilotpig

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] POST without POSTing

[Paul M Foster]

On Thu, Oct 01, 2009 at 04:23:46PM -0400, Daniel Brown wrote:

 On Thu, Oct 1, 2009 at 16:14, Paul M Foster pa...@quillandmouse.com wrote:
 
  Okay, I've figured out how to shove the data through cURL to the
  receiving URL, but then it occurred to me that the client browser must
  go there *as well*.
 
  Will curl_exec() do that on its own, or is there a parameter I need to
  feed it?
 
 So you need to have the *client* post the information?  You may
 want to look into a JavaScript solution, like an
 onload/document.form.post action.

Javascript would be a bad solution. If the user has this turned off,
they can't use the site.

Let me be less opaque. This is a page where a user will fill in some
personal information, and then select an amount to donate to this cause.
The intent is to pass some information that the merchant service company
needs (like merchant number and item selected) to their secure URL. The
problem is that, before I just pass the information off to them, I want
to make sure the user has properly filled out this form. So I have to
validate it. That's done in the background on the server, naturally. But
once the validating is done, it's time to send the user off to the
secure site with a payload of POST variables. At that point, the user
will enter credit card info and such, and continue the transaction.

So I need to find a way to direct the user's browser to the secure site
with their payload of POST variables. The more I look at this, the more
it looks like cURL won't do it, and Javascript has the obvious down
side.

I'm afraid the only way to do this may be to validate everything, pass
the values off to a confirmation page, where the user has to hit
Proceed, and *that* page goes directly to the secure server with its
POST payload.

If anyone has a better idea, let me know. Hopefully I've explained it
adequately to make the problem clear.

Paul

-- 
Paul M. Foster

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] POST without POSTing

[Ben Dunlap]

 to make sure the user has properly filled out this form. So I have to
 validate it. That's done in the background on the server, naturally. But
 once the validating is done, it's time to send the user off to the
 secure site with a payload of POST variables. At that point, the user
 will enter credit card info and such, and continue the transaction.

You're describing what a 307 redirect is supposed to accomplish:

header(Location: $secure_url, TRUE, 307);

But I've heard that not all browsers comply with the HTTP spec on this
point. Might be worth testing a bit, though -- maybe your typical
audience doesn't tend to use non-compliant browsers.

 So I need to find a way to direct the user's browser to the secure site
 with their payload of POST variables. The more I look at this, the more
 it looks like cURL won't do it, and Javascript has the obvious down
 side.

 I'm afraid the only way to do this may be to validate everything, pass
 the values off to a confirmation page, where the user has to hit
 Proceed, and *that* page goes directly to the secure server with its
 POST payload.

That might actually be the best solution because it's the most
transparent, from the user's point-of-view. A 307 is going to cause
many browsers to pop up a confirmation dialog, which will freak some
users out -- and will break people's flow a lot more than would a
smoothly-executed two-stage submit.

Ben

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] POST without POSTing

[Paul M Foster]

I'm sure this has been covered before, but I'm not even sure how to
search in the archives for it.

I have a form that collects certain info via POST. It is re-entrant, so
when the user hits the submit button, it checks the input and does
whatever sanity checks it needs to. If all is okay, it must now pass
some of that info to another URL (offsite) via POST. Normally, the
information would be passed via a series of GET variables or SESSION
variables. But in this case the site the user is being directed to must
receive the information via POST.

I'm not sure how to do this. Please no exotic external libraries my
shared hosting provider doesn't include. RTFM will be fine; just tell me
which Fine Manual to Read.

Paul

-- 
Paul M. Foster

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] POST without POSTing

[Daniel Brown]

On Wed, Sep 30, 2009 at 23:29, Paul M Foster pa...@quillandmouse.com wrote:

 I'm not sure how to do this. Please no exotic external libraries my
 shared hosting provider doesn't include. RTFM will be fine; just tell me
 which Fine Manual to Read.

Nothing too exotic at all, Paul.  Check out cURL:

http://php.net/curl

-- 
/Daniel P. Brown
daniel.br...@parasane.net || danbr...@php.net
http://www.parasane.net/ || http://www.pilotpig.net/
Check out our great hosting and dedicated server deals at
http://twitter.com/pilotpig

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] POST without POSTing

[Paul M Foster]

On Wed, Sep 30, 2009 at 11:36:55PM -0400, Daniel Brown wrote:

 On Wed, Sep 30, 2009 at 23:29, Paul M Foster pa...@quillandmouse.com wrote:
 
  I'm not sure how to do this. Please no exotic external libraries my
  shared hosting provider doesn't include. RTFM will be fine; just tell me
  which Fine Manual to Read.
 
 Nothing too exotic at all, Paul.  Check out cURL:
 
 http://php.net/curl

I was afraid you were going to say that, and I wasn't sure cURL was
supported on that server. But I just loaded phpinfo on that server, and
it is supported.

However, assuming it *wasn't*, I've found the following example from a
google search (thank goodness for google's hinting or I couldn't have
found it):

$fp = fsockopen(www.site.com, 80);
fputs($fp, POST /script.php HTTP/1.0
Host: www.site.com
Content-Length: 7

q=proxy);

I don't know much about doing things this way. It appears that when done
this way, the body must be separated by a newline, just like email.
And it appears that the content-length of 7 indicates the length of the
q=proxy string. Assuming I piled on a few other passed variables the
same way as q, separated by newlines (and adjusted the Content-Length
accordingly), would the above work? Are there liabilities to doing it
this way?

Paul

-- 
Paul M. Foster

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] POST without POSTing

[Daniel Brown]

On Thu, Oct 1, 2009 at 00:16, Paul M Foster pa...@quillandmouse.com wrote:

 However, assuming it *wasn't*, I've found the following example from a
 google search (thank goodness for google's hinting or I couldn't have
 found it):

 $fp = fsockopen(www.site.com, 80);
 fputs($fp, POST /script.php HTTP/1.0
 Host: www.site.com
 Content-Length: 7

 q=proxy);

 I don't know much about doing things this way. It appears that when done
 this way, the body must be separated by a newline, just like email.
 And it appears that the content-length of 7 indicates the length of the
 q=proxy string. Assuming I piled on a few other passed variables the
 same way as q, separated by newlines (and adjusted the Content-Length
 accordingly), would the above work? Are there liabilities to doing it
 this way?

Yes.  Hosts are more likely to have cURL installed and available
than fsockopen() or URL-based fopen() calls, so portability is greater
with cURL.  It's also a bit faster.  Still, as you know, there's
always more than one way to skin a cute, furry, delicious little
kitten.

-- 
/Daniel P. Brown
daniel.br...@parasane.net || danbr...@php.net
http://www.parasane.net/ || http://www.pilotpig.net/
Check out our great hosting and dedicated server deals at
http://twitter.com/pilotpig

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] POST without POSTing

[Lars Torben Wilson]

On Thu, 1 Oct 2009 00:16:27 -0400
Paul M Foster pa...@quillandmouse.com wrote:

 On Wed, Sep 30, 2009 at 11:36:55PM -0400, Daniel Brown wrote:
 
  On Wed, Sep 30, 2009 at 23:29, Paul M Foster
  pa...@quillandmouse.com wrote:
  
   I'm not sure how to do this. Please no exotic external libraries
   my shared hosting provider doesn't include. RTFM will be fine;
   just tell me which Fine Manual to Read.
  
  Nothing too exotic at all, Paul.  Check out cURL:
  
  http://php.net/curl
 
 I was afraid you were going to say that, and I wasn't sure cURL was
 supported on that server. But I just loaded phpinfo on that server,
 and it is supported.
 
 However, assuming it *wasn't*, I've found the following example from a
 google search (thank goodness for google's hinting or I couldn't
 have found it):
 
 $fp = fsockopen(www.site.com, 80);
 fputs($fp, POST /script.php HTTP/1.0
 Host: www.site.com
 Content-Length: 7
 
 q=proxy);
 
 I don't know much about doing things this way. It appears that when
 done this way, the body must be separated by a newline, just like
 email. And it appears that the content-length of 7 indicates the
 length of the q=proxy string. Assuming I piled on a few other
 passed variables the same way as q, separated by newlines (and
 adjusted the Content-Length accordingly), would the above work? Are
 there liabilities to doing it this way?
 
 Paul
 

Not separated by newlines; separated by ampersands. But otherwise,
that's just raw HTTP 1.1 protocol. cURL and other tools might look a bit
more complicated at first, but (assuming they're available) they do
shield you from the raw protocol a bit. No real liability to doing it
that way other than it's a bit more work.

http://developers.sun.com/mobility/midp/ttips/HTTPPost/


Regards,

Torben

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] POST without POSTing

[Paul M Foster]

On Thu, Oct 01, 2009 at 12:24:41AM -0400, Daniel Brown wrote:

 On Thu, Oct 1, 2009 at 00:16, Paul M Foster pa...@quillandmouse.com wrote:
 
  However, assuming it *wasn't*, I've found the following example from a
  google search (thank goodness for google's hinting or I couldn't have
  found it):
 
  $fp = fsockopen(www.site.com, 80);
  fputs($fp, POST /script.php HTTP/1.0
  Host: www.site.com
  Content-Length: 7
 
  q=proxy);
 
  I don't know much about doing things this way. It appears that when done
  this way, the body must be separated by a newline, just like email.
  And it appears that the content-length of 7 indicates the length of the
  q=proxy string. Assuming I piled on a few other passed variables the
  same way as q, separated by newlines (and adjusted the Content-Length
  accordingly), would the above work? Are there liabilities to doing it
  this way?
 
 Yes.  Hosts are more likely to have cURL installed and available
 than fsockopen() or URL-based fopen() calls, so portability is greater
 with cURL.  It's also a bit faster.  Still, as you know, there's
 always more than one way to skin a cute, furry, delicious little
 kitten.

fsockopen() appears to be part of the standard network functions in PHP,
like the header() function. Do you mean that many hosts support the
function (as part of PHP) but don't support its use with external hosts?
Is there a way to determine this support from looking at phpinfo()?

Paul

-- 
Paul M. Foster

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] POST without POSTing

[Daniel Brown]

On Thu, Oct 1, 2009 at 00:41, Paul M Foster pa...@quillandmouse.com wrote:

 fsockopen() appears to be part of the standard network functions in PHP,
 like the header() function. Do you mean that many hosts support the
 function (as part of PHP) but don't support its use with external hosts?
 Is there a way to determine this support from looking at phpinfo()?

fsockopen() is a socket function, as the name suggests.  Hosts can
disable the usage of sockets.  In fact, check Google and you'll see
several folks complaining of their host having it disabled.

As for fopen(), there's a php.ini value `allow_url_fopen` that a
lot of hosts have set to 'no,' I'm sure with the intent to increase
security but when you can still use cURL and exec('wget'), it kind
of defeats the purpose.

-- 
/Daniel P. Brown
daniel.br...@parasane.net || danbr...@php.net
http://www.parasane.net/ || http://www.pilotpig.net/
Check out our great hosting and dedicated server deals at
http://twitter.com/pilotpig

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] POST without POSTing

[Lars Torben Wilson]

On Thu, 1 Oct 2009 00:24:41 -0400
Daniel Brown danbr...@php.net wrote:

 On Thu, Oct 1, 2009 at 00:16, Paul M Foster pa...@quillandmouse.com
 wrote:
 
  However, assuming it *wasn't*, I've found the following example
  from a google search (thank goodness for google's hinting or I
  couldn't have found it):
 
  $fp = fsockopen(www.site.com, 80);
  fputs($fp, POST /script.php HTTP/1.0
  Host: www.site.com
  Content-Length: 7
 
  q=proxy);
 
  I don't know much about doing things this way. It appears that when
  done this way, the body must be separated by a newline, just like
  email. And it appears that the content-length of 7 indicates the
  length of the q=proxy string. Assuming I piled on a few other
  passed variables the same way as q, separated by newlines (and
  adjusted the Content-Length accordingly), would the above work? Are
  there liabilities to doing it this way?
 
 Yes.  Hosts are more likely to have cURL installed and available
 than fsockopen() or URL-based fopen() calls, so portability is greater
 with cURL.  It's also a bit faster.  Still, as you know, there's
 always more than one way to skin a cute, furry, delicious little
 kitten.
 

I stand corrected on that point--in that way, yes, it would be a
liability. Happily it's been so long since I've had to use that kind of
host that I don't usually consider that a problem. But yes, if you're
using free or low-end hosting then you might have to contend with that.
Ugly, but true.


Torben

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php