Re: [PHP] POST without POSTing
- Original Message From: Daniel Brown danbr...@php.net To: Paul M Foster pa...@quillandmouse.com Cc: php-general@lists.php.net Sent: Wednesday, September 30, 2009 9:58:18 PM Subject: Re: [PHP] POST without POSTing On Thu, Oct 1, 2009 at 00:41, Paul M Foster wrote: fsockopen() appears to be part of the standard network functions in PHP, like the header() function. Do you mean that many hosts support the function (as part of PHP) but don't support its use with external hosts? Is there a way to determine this support from looking at phpinfo()? fsockopen() is a socket function, as the name suggests. Hosts can disable the usage of sockets. In fact, check Google and you'll see several folks complaining of their host having it disabled. If the service provider uses jails on *BSD, then sockets are definitely disabled for security reasons. They don't want you to hack into other people's jail(s) ;) As for fopen(), there's a php.ini value `allow_url_fopen` that a lot of hosts have set to 'no,' I'm sure with the intent to increase security but when you can still use cURL and exec('wget'), it kind of defeats the purpose. -- daniel.br...@parasane.net || danbr...@php.net http://www.parasane.net/ || http://www.pilotpig.net/ Check out our great hosting and dedicated server deals at http://twitter.com/pilotpig -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] POST without POSTing
Paul M Foster pa...@quillandmouse.com wrote on 09/30/2009 09:29:17 PM: [PHP] POST without POSTing Paul M Foster to: php-general 09/30/2009 09:31 PM I have a form that collects certain info via POST. It is re-entrant, so when the user hits the submit button, it checks the input and does whatever sanity checks it needs to. If all is okay, it must now pass some of that info to another URL (offsite) via POST. Normally, the information would be passed via a series of GET variables or SESSION variables. But in this case the site the user is being directed to must receive the information via POST. Google posttohost rasmus. It's a classic from the Master at the turn of the century ;) Kirk
Re: [PHP] POST without POSTing
On Wed, Sep 30, 2009 at 11:36:55PM -0400, Daniel Brown wrote: On Wed, Sep 30, 2009 at 23:29, Paul M Foster pa...@quillandmouse.com wrote: I'm not sure how to do this. Please no exotic external libraries my shared hosting provider doesn't include. RTFM will be fine; just tell me which Fine Manual to Read. Nothing too exotic at all, Paul. Check out cURL: http://php.net/curl Okay, I've figured out how to shove the data through cURL to the receiving URL, but then it occurred to me that the client browser must go there *as well*. Will curl_exec() do that on its own, or is there a parameter I need to feed it? Paul -- Paul M. Foster -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] POST without POSTing
On Thu, Oct 1, 2009 at 16:14, Paul M Foster pa...@quillandmouse.com wrote: Okay, I've figured out how to shove the data through cURL to the receiving URL, but then it occurred to me that the client browser must go there *as well*. Will curl_exec() do that on its own, or is there a parameter I need to feed it? So you need to have the *client* post the information? You may want to look into a JavaScript solution, like an onload/document.form.post action. -- /Daniel P. Brown daniel.br...@parasane.net || danbr...@php.net http://www.parasane.net/ || http://www.pilotpig.net/ Check out our great hosting and dedicated server deals at http://twitter.com/pilotpig -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] POST without POSTing
On Thu, Oct 01, 2009 at 04:23:46PM -0400, Daniel Brown wrote: On Thu, Oct 1, 2009 at 16:14, Paul M Foster pa...@quillandmouse.com wrote: Okay, I've figured out how to shove the data through cURL to the receiving URL, but then it occurred to me that the client browser must go there *as well*. Will curl_exec() do that on its own, or is there a parameter I need to feed it? So you need to have the *client* post the information? You may want to look into a JavaScript solution, like an onload/document.form.post action. Javascript would be a bad solution. If the user has this turned off, they can't use the site. Let me be less opaque. This is a page where a user will fill in some personal information, and then select an amount to donate to this cause. The intent is to pass some information that the merchant service company needs (like merchant number and item selected) to their secure URL. The problem is that, before I just pass the information off to them, I want to make sure the user has properly filled out this form. So I have to validate it. That's done in the background on the server, naturally. But once the validating is done, it's time to send the user off to the secure site with a payload of POST variables. At that point, the user will enter credit card info and such, and continue the transaction. So I need to find a way to direct the user's browser to the secure site with their payload of POST variables. The more I look at this, the more it looks like cURL won't do it, and Javascript has the obvious down side. I'm afraid the only way to do this may be to validate everything, pass the values off to a confirmation page, where the user has to hit Proceed, and *that* page goes directly to the secure server with its POST payload. If anyone has a better idea, let me know. Hopefully I've explained it adequately to make the problem clear. Paul -- Paul M. Foster -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] POST without POSTing
to make sure the user has properly filled out this form. So I have to validate it. That's done in the background on the server, naturally. But once the validating is done, it's time to send the user off to the secure site with a payload of POST variables. At that point, the user will enter credit card info and such, and continue the transaction. You're describing what a 307 redirect is supposed to accomplish: header(Location: $secure_url, TRUE, 307); But I've heard that not all browsers comply with the HTTP spec on this point. Might be worth testing a bit, though -- maybe your typical audience doesn't tend to use non-compliant browsers. So I need to find a way to direct the user's browser to the secure site with their payload of POST variables. The more I look at this, the more it looks like cURL won't do it, and Javascript has the obvious down side. I'm afraid the only way to do this may be to validate everything, pass the values off to a confirmation page, where the user has to hit Proceed, and *that* page goes directly to the secure server with its POST payload. That might actually be the best solution because it's the most transparent, from the user's point-of-view. A 307 is going to cause many browsers to pop up a confirmation dialog, which will freak some users out -- and will break people's flow a lot more than would a smoothly-executed two-stage submit. Ben -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] POST without POSTing
I'm sure this has been covered before, but I'm not even sure how to search in the archives for it. I have a form that collects certain info via POST. It is re-entrant, so when the user hits the submit button, it checks the input and does whatever sanity checks it needs to. If all is okay, it must now pass some of that info to another URL (offsite) via POST. Normally, the information would be passed via a series of GET variables or SESSION variables. But in this case the site the user is being directed to must receive the information via POST. I'm not sure how to do this. Please no exotic external libraries my shared hosting provider doesn't include. RTFM will be fine; just tell me which Fine Manual to Read. Paul -- Paul M. Foster -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] POST without POSTing
On Wed, Sep 30, 2009 at 23:29, Paul M Foster pa...@quillandmouse.com wrote: I'm not sure how to do this. Please no exotic external libraries my shared hosting provider doesn't include. RTFM will be fine; just tell me which Fine Manual to Read. Nothing too exotic at all, Paul. Check out cURL: http://php.net/curl -- /Daniel P. Brown daniel.br...@parasane.net || danbr...@php.net http://www.parasane.net/ || http://www.pilotpig.net/ Check out our great hosting and dedicated server deals at http://twitter.com/pilotpig -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] POST without POSTing
On Wed, Sep 30, 2009 at 11:36:55PM -0400, Daniel Brown wrote: On Wed, Sep 30, 2009 at 23:29, Paul M Foster pa...@quillandmouse.com wrote: I'm not sure how to do this. Please no exotic external libraries my shared hosting provider doesn't include. RTFM will be fine; just tell me which Fine Manual to Read. Nothing too exotic at all, Paul. Check out cURL: http://php.net/curl I was afraid you were going to say that, and I wasn't sure cURL was supported on that server. But I just loaded phpinfo on that server, and it is supported. However, assuming it *wasn't*, I've found the following example from a google search (thank goodness for google's hinting or I couldn't have found it): $fp = fsockopen(www.site.com, 80); fputs($fp, POST /script.php HTTP/1.0 Host: www.site.com Content-Length: 7 q=proxy); I don't know much about doing things this way. It appears that when done this way, the body must be separated by a newline, just like email. And it appears that the content-length of 7 indicates the length of the q=proxy string. Assuming I piled on a few other passed variables the same way as q, separated by newlines (and adjusted the Content-Length accordingly), would the above work? Are there liabilities to doing it this way? Paul -- Paul M. Foster -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] POST without POSTing
On Thu, Oct 1, 2009 at 00:16, Paul M Foster pa...@quillandmouse.com wrote: However, assuming it *wasn't*, I've found the following example from a google search (thank goodness for google's hinting or I couldn't have found it): $fp = fsockopen(www.site.com, 80); fputs($fp, POST /script.php HTTP/1.0 Host: www.site.com Content-Length: 7 q=proxy); I don't know much about doing things this way. It appears that when done this way, the body must be separated by a newline, just like email. And it appears that the content-length of 7 indicates the length of the q=proxy string. Assuming I piled on a few other passed variables the same way as q, separated by newlines (and adjusted the Content-Length accordingly), would the above work? Are there liabilities to doing it this way? Yes. Hosts are more likely to have cURL installed and available than fsockopen() or URL-based fopen() calls, so portability is greater with cURL. It's also a bit faster. Still, as you know, there's always more than one way to skin a cute, furry, delicious little kitten. -- /Daniel P. Brown daniel.br...@parasane.net || danbr...@php.net http://www.parasane.net/ || http://www.pilotpig.net/ Check out our great hosting and dedicated server deals at http://twitter.com/pilotpig -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] POST without POSTing
On Thu, 1 Oct 2009 00:16:27 -0400 Paul M Foster pa...@quillandmouse.com wrote: On Wed, Sep 30, 2009 at 11:36:55PM -0400, Daniel Brown wrote: On Wed, Sep 30, 2009 at 23:29, Paul M Foster pa...@quillandmouse.com wrote: I'm not sure how to do this. Please no exotic external libraries my shared hosting provider doesn't include. RTFM will be fine; just tell me which Fine Manual to Read. Nothing too exotic at all, Paul. Check out cURL: http://php.net/curl I was afraid you were going to say that, and I wasn't sure cURL was supported on that server. But I just loaded phpinfo on that server, and it is supported. However, assuming it *wasn't*, I've found the following example from a google search (thank goodness for google's hinting or I couldn't have found it): $fp = fsockopen(www.site.com, 80); fputs($fp, POST /script.php HTTP/1.0 Host: www.site.com Content-Length: 7 q=proxy); I don't know much about doing things this way. It appears that when done this way, the body must be separated by a newline, just like email. And it appears that the content-length of 7 indicates the length of the q=proxy string. Assuming I piled on a few other passed variables the same way as q, separated by newlines (and adjusted the Content-Length accordingly), would the above work? Are there liabilities to doing it this way? Paul Not separated by newlines; separated by ampersands. But otherwise, that's just raw HTTP 1.1 protocol. cURL and other tools might look a bit more complicated at first, but (assuming they're available) they do shield you from the raw protocol a bit. No real liability to doing it that way other than it's a bit more work. http://developers.sun.com/mobility/midp/ttips/HTTPPost/ Regards, Torben -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] POST without POSTing
On Thu, Oct 01, 2009 at 12:24:41AM -0400, Daniel Brown wrote: On Thu, Oct 1, 2009 at 00:16, Paul M Foster pa...@quillandmouse.com wrote: However, assuming it *wasn't*, I've found the following example from a google search (thank goodness for google's hinting or I couldn't have found it): $fp = fsockopen(www.site.com, 80); fputs($fp, POST /script.php HTTP/1.0 Host: www.site.com Content-Length: 7 q=proxy); I don't know much about doing things this way. It appears that when done this way, the body must be separated by a newline, just like email. And it appears that the content-length of 7 indicates the length of the q=proxy string. Assuming I piled on a few other passed variables the same way as q, separated by newlines (and adjusted the Content-Length accordingly), would the above work? Are there liabilities to doing it this way? Yes. Hosts are more likely to have cURL installed and available than fsockopen() or URL-based fopen() calls, so portability is greater with cURL. It's also a bit faster. Still, as you know, there's always more than one way to skin a cute, furry, delicious little kitten. fsockopen() appears to be part of the standard network functions in PHP, like the header() function. Do you mean that many hosts support the function (as part of PHP) but don't support its use with external hosts? Is there a way to determine this support from looking at phpinfo()? Paul -- Paul M. Foster -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] POST without POSTing
On Thu, Oct 1, 2009 at 00:41, Paul M Foster pa...@quillandmouse.com wrote: fsockopen() appears to be part of the standard network functions in PHP, like the header() function. Do you mean that many hosts support the function (as part of PHP) but don't support its use with external hosts? Is there a way to determine this support from looking at phpinfo()? fsockopen() is a socket function, as the name suggests. Hosts can disable the usage of sockets. In fact, check Google and you'll see several folks complaining of their host having it disabled. As for fopen(), there's a php.ini value `allow_url_fopen` that a lot of hosts have set to 'no,' I'm sure with the intent to increase security but when you can still use cURL and exec('wget'), it kind of defeats the purpose. -- /Daniel P. Brown daniel.br...@parasane.net || danbr...@php.net http://www.parasane.net/ || http://www.pilotpig.net/ Check out our great hosting and dedicated server deals at http://twitter.com/pilotpig -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] POST without POSTing
On Thu, 1 Oct 2009 00:24:41 -0400 Daniel Brown danbr...@php.net wrote: On Thu, Oct 1, 2009 at 00:16, Paul M Foster pa...@quillandmouse.com wrote: However, assuming it *wasn't*, I've found the following example from a google search (thank goodness for google's hinting or I couldn't have found it): $fp = fsockopen(www.site.com, 80); fputs($fp, POST /script.php HTTP/1.0 Host: www.site.com Content-Length: 7 q=proxy); I don't know much about doing things this way. It appears that when done this way, the body must be separated by a newline, just like email. And it appears that the content-length of 7 indicates the length of the q=proxy string. Assuming I piled on a few other passed variables the same way as q, separated by newlines (and adjusted the Content-Length accordingly), would the above work? Are there liabilities to doing it this way? Yes. Hosts are more likely to have cURL installed and available than fsockopen() or URL-based fopen() calls, so portability is greater with cURL. It's also a bit faster. Still, as you know, there's always more than one way to skin a cute, furry, delicious little kitten. I stand corrected on that point--in that way, yes, it would be a liability. Happily it's been so long since I've had to use that kind of host that I don't usually consider that a problem. But yes, if you're using free or low-end hosting then you might have to contend with that. Ugly, but true. Torben -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php