I'm trying to send data with curl to my PHP file and then I can do all the other actions like hashing password/data with salt, running database queries eco. It seems to work fine, but there's only one problem. I'm not sure how to secure it, with an authorization token for example. I want to be able to query data from my PHP file using the written application only. I can see how this would become a problem, if people had access to the link through web browser for example.
I've included my code below, if someone needs something similar.
main.cpp
#include <iostream>
#include <stdlib.h>
#include <stdio.h>
#include <curl/curl.h>
#include <sha.h>
#include <hex.h>
using namespace std;
using namespace CryptoPP;
size_t size = 0;
size_t write_to_string(void *ptr, size_t size, size_t count, void *stream) {
((string*)stream)->append((char*)ptr, 0, size*count);
return size*count;
}
template <class T>
string QueryDB(initializer_list<T> list) // Use initialize_list to query an undefined number of params
{
CURL *curl;
CURLcode res;
string submitdata = "", query_result;
int i = 1;
for (auto elem : list) // For each param append to the submitdata string
{
if (i == 1) { // If first param, we append "?"
string d = "?" + to_string(i) + "=" + elem;
submitdata.append(d);
} else if (i > 1) { // If not first param, we append "&" as it's the second, third, fourth ... param
string d = "&" + to_string(i) + "=" + elem;
submitdata.append(d);
}
i++;
}
curl_global_init(CURL_GLOBAL_ALL);
curl = curl_easy_init();
if (curl)
{
string loginurl = string("http://localhost/login.php");
curl_easy_setopt(curl, CURLOPT_USERPWD, "randomhttpuser:randomhttppassword");
curl_easy_setopt(curl, CURLOPT_URL, (loginurl + submitdata).c_str());
curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_to_string);
curl_easy_setopt(curl, CURLOPT_WRITEDATA, &query_result);
curl_easy_setopt(curl, CURLOPT_TIMEOUT, 20L);
res = curl_easy_perform(curl);
if (res != CURLE_OK)
fprintf(stderr, "curl_easy_perform() failed: %s\n", curl_easy_strerror(res));
curl_easy_cleanup(curl);
}
else {
query_result = "CONNECTION FAILED";
}
curl_global_cleanup();
return query_result;
}
string SHA256Hash(string input)
{
SHA256 hash;
string hashed_input;
StringSource ss(input, true, new HashFilter(hash, new HexEncoder(new StringSink(hashed_input))));
return hashed_input;
}
int main()
{
string username = "testuser";
string raw_password = "testpass";
// Hash password and send it as a query to PHP file
// query_result will hold the value of REQUEST response
auto hashed_password = SHA256Hash(raw_password);
auto query_result = QueryDB({ username, hashed_password });
cout << "=========================================== [ POST ] ===========================================" << endl;
cout << "User: " << username.c_str() << endl;
cout << "Raw Password: " << raw_password.c_str() << endl;
cout << "Hashed password: " << hashed_password.c_str() << endl;
cout << "========================================== [ REQUEST ] =========================================" << endl;
cout << query_result.c_str() << endl;
Sleep(15 * 1000);
return 0;
}
login.php
<?php
$reqparams = array();
function AddStringToArray($name,$string) {
global $reqparams;
$reqparams[$name] = $string;
}
/* Check if specified param exists in reqparams array */
function GetRequestParam($value) {
global $reqparams;
if (array_key_exists($value, $reqparams)) {
$returnvalue = $reqparams[$value];
} else {
$returnvalue = "INVALID PARAMETER";
}
return $returnvalue;
}
$authuser = "randomhttpuser";
$authpw = "randomhttppassword";
$authorized = False;
if (!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
echo 'Failed to authorize!';
exit;
} else {
if($_SERVER['PHP_AUTH_USER'] == $authuser && $_SERVER['PHP_AUTH_PW'] == $authpw)
{
$authorized = True;
} else {
$authorized = False;
die('Failed to authorize!');
}
}
if($authorized == True)
{
/* Store each REQUEST and it's value in the $reqparams array using AddStringToArray function */
foreach ($_REQUEST as $key => $value)
{
$value = addslashes($value);
$value = strip_tags($value);
AddStringToArray($key, $value);
}
/* You should remember in which order you called the params in your REQUEST query or if you really want, you can just use:
$variable = $_REQUEST['param_name'];
However, if an undefined param is specified, it will result in an warning and ruin your output, if you manually parse it */
$user = GetRequestParam(1);
$pass = GetRequestParam(2);
/* GetRequestParam returns 'INVALID_PARAMETER' instead of a warning that an undefined param was requested */
$invalid_param = GetRequestParam(42);
/* Re-hash password with a salt that's stored in the PHP file only, before using or comparing it to the value stored in database or doing whatever else */
$salt = $user . $pass . "secretkey42";
$salt_hashed_passsword = strtoupper(hash('sha256', $salt));
echo "User: $user";
echo "\nHashed Password: $salt_hashed_passsword (Salt)";
}
?>
Edit: I could use HTTP header, but isn't it possible to reverse my application and abuse it?
Edit: I currently decided to use HTTP authentication as a temporary measure.
I stored a random generated username and password in my PHP file and compare them to the PHP_AUTH_USER/PW which are sent in the HTTP header from my cpp application using CURLOPT_USERPWD:
curl_easy_setopt(curl, CURLOPT_USERPWD, "randomhttpusername:randomhttppassword");
Hopefully, this will at least make it a bit harder for the hacker. First he will have to RE my application to get the the user/password and even after that he can only query the response if password belongs to specified user or not - since most of my queries are hard coded. You could even store the number of failed logins and temporarily ban him for x amount of time. Rest of the queries are made after login returns true.
I've also updated the code above to use the changes I've made and added some comments if you're too lazy to go over the code line-by-line. Feel free to give me some tips on how to improve the code or optimize for better use.
From what I understood, you want to implement a some sort of login system using auth tokens. In this case, OAuth can do the job. Here's a tutorial written on SitePoint that can guide you through the process.
Related
Im trying to get my c++ app to authenticate user/pass against a web database. To do so, I have a simple html form for user/pass which triggers the authentication php script.
Im having a hard time understanding cURL since im a complete noob on it.
Right now, I'm able to send data to the html form, but i dont even know if im doing properly.
Ideally, I would like you to teach me how to do it, and how to read a response. I mean, if the login goes right, how do i get c++ to know it?
All the code i have:
HTML
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
</head>
<body>
<form method="post" action="check.php">
<input type="text" name="uname"/>
<input type="password" name="password"/>
<input type="submit"/>
</form>
</html>
PHP
<?php
$fileDir = '/var/www/html/forums/';
require($fileDir . '/src/XF.php');
XF::start($fileDir);
$app = \XF::setupAPP('XF\App');
$username = $_POST['uname']; $password = $_POST['password'];
$ip = $app->request->getIp();
$loginService = $app->service('XF:User\Login', $username, $ip);
$userValidate = $loginService->validate($password, $error);
if(!$userValidate)
{
//Not good pass / user
$data = ['validated' => false];
}
else $data = ['validated' => true];
header('Content-type: application/json');
echo json_encode($data);
?>
C++
#include "stdafx.h"
#include <iostream>
#include <stdio.h>
#include <curl/curl.h>
using namespace std;
int main()
{
char username[20];
char password[25];
cout << "Username: ";
cin >> username;
cout << "Password: ";
cin >> password;
/*------------------------------------------*/
CURL *curl;
CURLcode res;
curl_global_init(CURL_GLOBAL_ALL);
curl = curl_easy_init();
if (curl) {
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L);
curl_easy_setopt(curl, CURLOPT_URL, "https://localhost/index.hmtl");
curl_easy_setopt(curl, CURLOPT_POSTFIELDS, "uname=?&password=?", username, password);
res = curl_easy_perform(curl);
if (res != CURLE_OK) {
fprintf(stderr, "curl_easy_perform() failed: %s\n", curl_easy_strerror(res));
}
curl_easy_cleanup(curl);
}
curl_global_cleanup();
}
EDIT: WORKING SOLUTION
#include "stdafx.h"
#include <iostream>
#include <stdio.h>
#include <string>
#include <curl/curl.h>
using namespace std;
string urlencode(const string &str) {
char *escaped = curl_escape(str.c_str(), str.length());
if (escaped == NULL) throw runtime_error("curl_escape failed!");
string ret = escaped;
curl_free(escaped);
return ret;
}
size_t my_write_function(const void * indata, const size_t size, const size_t count, void *out) {
(*(string*)out).append((const char*)indata, size*count);
return size * count;
}
int main()
{
string username;
string password;
cout << "Username: ";
getline(cin, username);
cout << "Password: ";
getline(cin, password);
/*------------------------------------------*/
CURL *curl;
CURLcode res;
curl_global_init(CURL_GLOBAL_ALL);
curl = curl_easy_init();
if (curl) {
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L);
curl_easy_setopt(curl, CURLOPT_URL, "https://urlto/index.html");
curl_easy_setopt(curl, CURLOPT_COPYPOSTFIELDS, string("uname=" + urlencode(username) + "&password=" + urlencode(password)).c_str());
string response;
curl_easy_setopt(curl, CURLOPT_URL, "https://urlto/check.php");
curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, my_write_function);
curl_easy_setopt(curl, CURLOPT_WRITEDATA, &response);
res = curl_easy_perform(curl);
//cout << "Response from website: " << response << endl;
if (response.find("true") == string::npos) {
cout << "Failed to login";
}
else cout << "Log in successful";
if (res != CURLE_OK) {
fprintf(stderr, "curl_easy_perform() failed: %s\n", curl_easy_strerror(res));
}
curl_easy_cleanup(curl);
}
curl_global_cleanup();
}
i dont even know if im doing properly. - well, there's certainly a couple of bugs in your code,
first, what do you think happens if the username is longer than 20 bytes, or the password is longer than 25 bytes? try
string username;
getline(cin, username);
instead. c++ will keep increasing the size of username as needed until you run out of ram, as it should be.
and i see you're using CURLOPT_POSTFIELDS (and wrongly), until you know what you're doing, i recommend you use CURLOPT_COPYPOSTFIELDS instead. (btw i pretty much always use COPYPOSTFIELDS myself) this line is wrong:
curl_easy_setopt(curl, CURLOPT_POSTFIELDS, "uname=?&password=?", username, password);`
because curl_easy_setopt() only accepts 3 parameters, but you're trying to give it 5. i don't think that will even compile, but even if it does, it certainly shouldn't work at runtime.
try instead something like:
string urlencode(const string& str)
{
char *escaped = curl_escape(str.c_str(), str.length());
if (unlikely(escaped==NULL))
{
throw runtime_error("curl_escape failed!");
}
string ret = escaped;
curl_free(escaped);
return ret;
}
curl_easy_setopt(curl, CURLOPT_COPYPOSTFIELDS, string("uname="+urlencode(username)+"&password="+urlencode(password)).c_str());
as for reading (and capturing) the output, there's lots of ways to do it, but how about hooking the CURLOPT_WRITEFUNCTION? that tends to work, something like:
size_t my_write_function( const void * indata, const size_t size, const size_t count, void *out){
(*(string*)out).append((const char*)indata,size*count);
return size*count;
}
then
string response;
curl_easy_setopt(curl,CURLOPT_WRITEFUNCTION,my_write_function);
curl_easy_setopt(curl,CURLOPT_WRITEDATA,&response);
res = curl_easy_perform(curl);
cout << "response from website: " << response << endl;
now you can check if you logged in or not by check checking for the existence of the string "true" in the response (because it should respond something like {validated:true} if you are), eg
if(response.find("true")==string::npos){
cout << "failed to authenticate!";
}else{
cout << "authenticated successfully!";
}
(and a warning, while it may be tempting to use a lambda callback with CURLOPT_WRITEFUNCTION, it's a trap, c++ lambdas may crash when given to curl as callbacks... been there, done that.)
I am trying to authenticate a Microsoft Teams custom Bot with PHP, following the Microsoft instructions and read de C# example code.
Microsoft Intructions steps:
1. Generate the hmac from the request body of the message. There are standard libraries on most platforms. Microsoft Teams uses standard
SHA256 HMAC cryptography. You will need to convert the body to a byte
array in UTF8.
2. To compute the hash, provide the byte array of the shared secret.
3. Convert the hash to a string using UTF8 encoding.
4. Compare the string value of the generated hash with the value provided in the HTTP request.
I had write a small php script to test this in local:
<?php
//Function to generate C# byte[] equivalent
function unpak_str($val){
$b = unpack('C*', $val);
foreach ($b as $key => $value)
$byte_a .= $value;
return $byte_a;
}
//multi test outputs
function hasher($values=[], &$output){
//my secret share
$secret="ejWiKHgsKY1ZfpJwJ+wIiN4+bgsFad/lkpu9/MWNXgM=";
//diferent test
$secret_64=base64_decode($secret);
$secret_b=unpak_str($secret);
$secret_b_64=unpak_str(base64_decode($secret));
foreach($values as $msg){
$hs = hash_hmac("sha256",$msg,$secret, true);
$hs_64 = hash_hmac("sha256",$msg,$secret_64, true);
$hs_b = hash_hmac("sha256",$msg,$secret_b, true);
$hs_b_64 = hash_hmac("sha256",$msg,$secret_b_64, true);
$output.=base64_encode($hs)." <BR>";
$output.=base64_encode($hs_64)." <BR>";
$output.=base64_encode($hs_b)." <BR>";
$output.=base64_encode($hs_b_64)." <BR>";
}
}
//Get data
$data=file_get_contents('php://input');
//real data request content for test
$data ='{type":"message","id":"1512376018086","timestamp":"2017-12-04T08:26:58.237Z","localTimestamp":"2017-12-04T09:26:58.237+01:00","serviceUrl":"https://smba.trafficmanager.net/emea-client-ss.msg/","channelId":"msteams","from":{"id":"29:1aq6GCrC6lM9dv3YkAYi1gxTPiLnojGFgVr0_Th-2x6DhqmHAOhFwQHFzSyDy5RruXY4_FZjJebKHU7bpxfHpXA","name":"ROBERTO ALONSO FERNANDEZ","aadObjectId":"1e0dc7a0-9d5e-488b-bcf2-7e39c84076b8"},"conversation":{"isGroup":true,"id":"19:9e1c52275dfb4d0b873ddf34eb9f4979#thread.skype;messageid=1512376018086","name":null},"recipient":null,"textFormat":"plain","attachmentLayout":null,"membersAdded":[],"membersRemoved":[],"topicName":null,"historyDisclosed":null,"locale":null,"text":"<at>PandoBot</at> fff","speak":null,"inputHint":null,"summary":null,"suggestedActions":null,"attachments":[{"contentType":"text/html","contentUrl":null,"content":"<div><span itemscope=\"\" itemtype=\"http://schema.skype.com/Mention\" itemid=\"0\">PandoBot</span> fff</div>","name":null,"thumbnailUrl":null}],"entities":[{"type":"clientInfo","locale":"es-ES","country":"ES","platform":"iOS"}],"channelData":{"teamsChannelId":"19:9e1c52275dfb4d0b873ddf34eb9f4979#thread.skype","teamsTeamId":"19:1e04f564ce5e4596bf2f266dbcff439e#thread.skype","channel":{"id":"19:9e1c52275dfb4d0b873ddf34eb9f4979#thread.skype"},"team":{"id":"19:1e04f564ce5e4596bf2f266dbcff439e#thread.skype"},"tenant":{"id":"9744600e-3e04-492e-baa1-25ec245c6f10"}},"action":null,"replyToId":null,"value":null,"name":null,"relatesTo":null,"code":null}';
//generate HMAC hash with diferent $data formats
$test = [$data, unpak_str($data), base64_encode($data), unpak_str(base64_encode($data))];
hasher($test, $output);
//microsoft provided HMAC
$output.="<HR>EW2993goL1q7nGhytIb3jKmV6luXLz15Bq2aYwuCeiE=";
echo $output;
/*
Calculates:
0HsKoHza/QBvdz+nZw9tOti/eSWjyMMt/U77bfDqiE8=
3jSq3I0HNQkjB9QfnnsxC1c3pF5PjqweHlSVcicrShY=
bTQcGVTHX8/Gh4xovnN0WiJUiNaOQwvUZnwyFfiCaJE=
qHBT2Y2ITyoxz2gmBbG8P1CrClvETus6dTffET3bAR8=
8BcrXEQDDi77qgxCZLYyb/6ez8p9Qg2ZhTyZPWkdn/g=
+8RSU5SSJKxqRLKkI+NkTE01xwu6PwPkKKMuvyyUvlo=
PdL5ZpEwcN6Fe5kfX7zeAZLJvt0uLNTzu7lhuoOcr2o=
s6M5pYruEgWeNMEOFfQRjVKQqtPBVaW3TJb2MzObF2c=
xOTLhddbAwczQVneuTDQhPzmoIXGQljpf27c+hlhQII=
aUMm5b2sKfmwGZOglfiu228fWqoLlwjc7z1QRdIbakE=
5a7bAj9tzqhP9l85OvfVasURW0GSV5rykRutFFPO2fk=
kwg6P2LoDL9rc3SSwJxQeoYJzZYlh+FHFefe38UokBM=
eHeAzI7TV6vYDzxTxwyKWxMeVKFiFlIffWRiIMAk6fk=
ZCyj2UppacQOTXogLPMFLDeMArQg03rhhlIwhynDvng=
uQYK+7u9fppb62zXqtVYfkNK9wVawB3g+BlTyu4dc74=
vjOFA3fqpwUx/VO9dQv3XviNhpjTNQsUwaJIwH4JjdY=
------------ MS PROVIDED HMAC ---------------
EW2993goL1q7nGhytIb3jKmV6luXLz15Bq2aYwuCeiE=
*/
I've zero hash matching...
Finally after lots of trial, it maked me crazy and decided to start a new bot with a new secret. Now works fine. I'm human while MS Teams no... I suppos that was my fault with copy/paste but is a really stranger thing and the other hand old bot fails a lot of times with no response and the newest no
Full example validation HMAC in PHP for Microsoft Teams Custom Bot:
<?php
//The secret share with Microsoft Teams
$secret="jond3021g9imMkrt8txF5AVPIwPFouNV/I72cQFii18=";
//get headers
$a = getallheaders();
$provided_hmac=substr($a['Authorization'],5);
//Get data from request
$data=file_get_contents('php://input');
//json decode into array
$json=json_decode($data, true);
//hashing
$hash = hash_hmac("sha256",$data,base64_decode($secret), true);
$calculated_hmac = base64_encode($hash);
//start log var
$log = "\n========".date("Y-m-d H:i:s")."========\n".$provided_hmac."\n".$calculated_hmac."\n";
try{
//compare hashs
if(!hash_equals($provided_hmac,$calculated_hmac))
throw new Exception("No hash matching");
//response text
$txt="Hi {$json["from"]["name"]} welcome to your custom bot";
echo '{
"type": "message",
"text": "'.$txt.'"
}';
$log .= "Sended: {$txt}";
}catch (Exception $e){
$log .= $e->getMessage();
}
//write log
$fp = fopen("log.txt","a");
fwrite($fp, $log . PHP_EOL);
fclose($fp);
I'm not a PHP expert, and your logic to cover all the cases is a bit convoluted, but I'm pretty sure your problem is that you aren't converting the message ($data) from UTF8 before computing the HMAC.
Here's a simple custom echo bot in Node that shows how to compute and validate the HMAC:
const util = require('util');
const crypto = require('crypto');
const sharedSecret = "+ZaRRMC8+mpnfGaGsBOmkIFt98bttL5YQRq3p2tXgcE=";
const bufSecret = Buffer(sharedSecret, "base64");
var http = require('http');
var PORT = process.env.port || process.env.PORT || 8080;
http.createServer(function(request, response) {
var payload = '';
request.on('data', function (data) {
// console.log("Chunk size: %s bytes", data.length)
payload += data;
});
request.on('end', function() {
try {
// Retrieve authorization HMAC information
var auth = this.headers['authorization'];
// Calculate HMAC on the message we've received using the shared secret
var msgBuf = Buffer.from(payload, 'utf8');
var msgHash = "HMAC " + crypto.createHmac('sha256', bufSecret).update(msgBuf).digest("base64");
console.log("Computed HMAC: " + msgHash);
console.log("Received HMAC: " + auth);
response.writeHead(200);
if (msgHash === auth) {
var receivedMsg = JSON.parse(payload);
var responseMsg = '{ "type": "message", "text": "You typed: ' + receivedMsg.text + '" }';
} else {
var responseMsg = '{ "type": "message", "text": "Error: message sender cannot be authenticated." }';
}
response.write(responseMsg);
response.end();
}
catch (err) {
response.writeHead(400);
return response.end("Error: " + err + "\n" + err.stack);
}
});
}).listen(PORT);
console.log('Listening on port %s', PORT);
You don't need unpack(), or that unpak_str() function (which is also broken because it just overwrites each byte with the next one, not appending them).
Byte arrays are not a thing in PHP - the language doesn't have different string types; how strings are interpreted is entirely up to the functions using them. That is, your shared secret should be just the result of base64_encode($secret).
http://www.universalcard.byethost7.com is my server. Where I kept index.php file. Code is as given below
<?php
if(isset($_GET['username']) && isset($_GET['pin']) && isset($_GET['cost'])) {
$username = $_GET['username'];
$pin = $_GET['pin'];
$cost = $_GET['cost'];
$filecontent = "Username is: ".$username." and PIN is: ".$pin." and cost is: ".$cost."\n";
$filestatus = file_put_contents('uc.txt',$filecontent,FILE_APPEND);
if($filestatus != false )
{
echo "Data written to file..";
}else{
echo "Ohh sorry..";
}
} else {
echo "Something went wrong..";
}
?>
And I want to send a GET request from ESP8266 with Arduino IDE.
In this GET request, I am sending 3 variables 'username' , 'pin' and 'cost' with some values (data type is String). And these values are appending to a file "uc.txt". So when I send a request using a browser, values will append to the text file.
But when I tried to send using ESP8266 it is not appending
Arduino Code is below
#include <ESP8266WiFi.h>
#include <WiFiClientSecure.h>
const char* ssid = "rainbow";
const char* password = "12345678";
const char* host = "universalcard.byethost7.com";
const int httpsPort = 443;
// Use web browser to view and copy
// SHA1 fingerprint of the certificate
//const char* fingerprint = "CF 05 98 89 CA FF 8E D8 5E 5C E0 C2 E4 F7 E6 C3 C7 50 DD 5C";
void setup() {
Serial.begin(115200);
Serial.println();
Serial.print("connecting to ");
Serial.println(ssid);
WiFi.begin(ssid, password);
while (WiFi.status() != WL_CONNECTED) {
delay(500);
Serial.print(".");
}
Serial.println("");
Serial.println("WiFi connected");
Serial.println("IP address: ");
Serial.println(WiFi.localIP());
// Use WiFiClientSecure class to create TLS connection
WiFiClientSecure client;
Serial.print("connecting to ");
Serial.println(host);
if (!client.connect(host, httpsPort)) {
Serial.println("connection failed");
return;
}
String url = "/index.php?username=2bv14is114&pin=5555&cost=1111";
Serial.print("requesting URL: ");
Serial.println(url);
client.print(String("GET ") + url + " HTTP/1.1\r\n" +
"Host: " + host + "\r\n" +
"User-Agent: BuildFailureDetectorESP8266\r\n" +
"Connection: close\r\n\r\n");
Serial.println("request sent");
while (client.connected()) {
String line = client.readStringUntil('\n');
if (line == "\r") {
Serial.println("headers received");
break;
}
}
String line = client.readStringUntil('\n');
if (line.startsWith("{\"state\":\"success\"")) {
Serial.println("esp8266/Arduino CI successfull!");
} else {
Serial.println("esp8266/Arduino CI has failed");
}
Serial.println("reply was:");
Serial.println("==========");
Serial.println(line);
Serial.println("==========");
Serial.println("closing connection");
}
void loop() {
}
And the output in Serial monitor is below
Your host has some sort of protection (maybe against bots), that expects a _test cookie set by JavaScript, if not present.
You could acquire the cookie, by first visiting the site with the browser and copy paste the cookie into your code.
You would need to do it from the same IP, that your ESP8266 will be introduced to the server, since the cookie is IP bound.
In this case you would have a problem, if you have a dynamic IP and also the longevity of the cookie is unknown.
You could also acquire the cookie by parsing the response, but the cookie is AES encrypted and that would be somewhat complicated.
The most sensible solution would be to switch to a host without such protection.
This is a solution to basically the same problem in this and this question.
I am having a really hard time reading character input that is sent through a socket connection to a Qt server application. The data is sent from PHP.
I understand the principles of reading streamdata because I already asked this on stack. I also got it working using a server and client written both in Qt.
The method I use is to append the bytesize of the data i want to send before the actual data. Then when the data comes in, I first read the length parth so that I know exactly how much bytes I have to read in order to have correctly formed data.
it looks like this:
send function:
void Client::sendNewMessage(){
qDebug() << "sendNewMessage()";
QString string(messageLineEdit->text());
QByteArray block;
QDataStream out(&block, QIODevice::WriteOnly);
out.setVersion(QDataStream::Qt_4_0);
out << quint16(0);
out << string;
out.device()->seek(0);
out << (quint16)(block.size() - sizeof(quint16));
tcpSocket->write(block);
}
receive function:
QDataStream in(tcpServerConnection);
in.setVersion(QDataStream::Qt_4_0);
qDebug() << "bytes available = " << tcpServerConnection->bytesAvailable();
if (blockSize == 0) {
int size = (int) sizeof(quint16);
qDebug() << "size = " << size;
if (tcpServerConnection->bytesAvailable() < (int)sizeof(quint16)){
qDebug() << "less bytes than size...";
return;
}
qDebug() << "bytes available=" << tcpServerConnection->bytesAvailable();
in >> blockSize;
}
if (tcpServerConnection->bytesAvailable() < blockSize){
qDebug() << "less bytes available than blocksize, bytes="
<< tcpServerConnection->bytesAvailable();
return;
}
QString data;
in >> data;
qDebug() << "data = " << data;
Okay, this all works so I tried doing it with PHP but it failed
this is one of my attempts:
<?php
$addr = gethostbyname("127.0.0.1");
$client = stream_socket_client("tcp://$addr:*****", $errno, $errorMessage);
if ($client === false) {
throw new UnexpectedValueException("Failed to connect: $errorMessage");
}
$data = 'a';
$datatopost = serialize($data);
fwrite($client, strlen($data));
fwrite($client, base64_encode($data));
echo stream_get_contents($client);
fclose($client);
In Qt I have tried various combinations of quint8, 16, 32, 64, sizeof(char), sizeof(int).
in PHP I have tried serializing the data, encoding it, and also sending it without all that stuff. But i can not get it to work. I must be very close though because the data is actually sent as there are bytes available but I have no idea how to encode/decode correctly for it to work.
After asking various question concerning this topic I do feel that my understanding has gone up a lot but an important piece of information on how to actually do things is still missing for me.
So my question: What is going wrong here and what steps need to be taken to be able to read data from PHP to Qt/C++?
Details are highly apreciated as I really like to know how things work from the inside out.
side-note after sending data from the PHP script, the server sends data back aswel and that works. So the connection is made succesfuly
UPDATE
this is the working php script that actually also receives a reply back:
<?php
if(!($sock = socket_create(AF_INET, SOCK_STREAM, 0)))
{
perror("Could not create socket");
}
echo "Socket created n";
//Connect socket to remote server
if(!socket_connect($sock , '127.0.0.1' , *****))
{
perror("Could not connect");
}
echo "Connection established n";
$message = "aa";
//Send the message to the server
if( ! socket_send ( $sock , $message , strlen($message) , 0))
{
perror("Could not send data");
}
echo "Message send successfully n";
//Now receive reply from server
if(socket_recv ( $sock , $buf , 500 , MSG_WAITALL ) === FALSE)
{
perror("Could not receive data");
}
echo $buf;
///Function to print socket error message
function perror($msg)
{
$errorcode = socket_last_error();
$errormsg = socket_strerror($errorcode);
die("$msg: [$errorcode] $errormsg n");
}
The script reply when executed from browser url:
Socket created nConnection established nMessage send successfully n hello
It's not that surprising the PHP code does not integrate. As mentioned you have to be aware that QDataStream implements a custom serialization. And as also mentioned you probably want to use (read|write)RawData, or (read|write)Bytes, if your reading something not previously serialized with QDataStream in general. However, the general idea of the way your trying to write string data from PHP should be compatible with the way Qt encodes strings (length then a series of characters. That is what the manual says anyway..). But there some issues.
QString is 2Byte Unicode.
PHP Strings are byte arrays of an arbitrary kind of ASCII compatible data - PHP String details.
There is a few things wrong with this bit:
fwrite($client, strlen($data));
fwrite($client, base64_encode($data));
strlen() returns the number of bytes in the underlying storage (which is the actual byte length for a ASCII string). base64_encode() changes the number of bytes in the string. And your assuming fwrite() is writing a four byte integer. Its type casting and writing a string.
We are still guessing at how
QString data;
in >> data;
really works.
General advice is, you've got to carefully define external binary APIs.
Do you need data serialization for this task at all? Your PHP client and Qt server are probably using different formats for it.
Try to send and receive raw data.
Here is a simple QTcpServer exmaple:
class DataReceiver : public QObject
{
Q_OBJECT
public:
explicit DataReceiver(QObject *parent = 0);
public slots:
void start(quint16 port = 9090);
private slots:
void newTcpConnection();
private:
QTcpServer server;
};
DataReceiver::DataReceiver(QObject *parent) :
QObject(parent)
{
connect(&server, SIGNAL(newConnection()), this, SLOT(newTcpConnection()));
}
void DataReceiver::start(quint16 port)
{
bool isOk = server.listen(QHostAddress::Any, port);
if (isOk && server.isListening())
{
qDebug() << "QTcpServer started on port" << port;
}
else
{
qCritical() << "Failed to start QTcpServer";
}
}
void DataReceiver::newTcpConnection()
{
qDebug() << "New incoming connection";
QTcpSocket *socket = server.nextPendingConnection();
QByteArray data;
while (true)
{
QByteArray tmp = socket->readAll();
data += tmp;
if (tmp.isEmpty() && !socket->waitForReadyRead())
{
break;
}
}
socket->deleteLater();
qDebug("Data received: %s (len = %d)", data.constData(), data.length());
}
Launching server:
#include <QCoreApplication>
#include "data_receiver.h"
int main(int argc, char *argv[])
{
QCoreApplication a(argc, argv);
DataReceiver d;
d.start();
return a.exec();
}
You can use a PHP client to send data to it:
<?php
$addr = gethostbyname("127.0.0.1");
$port = 9090;
$data = 'hello from php';
$client = stream_socket_client("tcp://$addr:$port", $errno, $errorMessage);
if ($client === false) {
throw new UnexpectedValueException("Failed to connect: $errorMessage");
}
fwrite($client, $data);
fclose($client);
Or you can use the nc utility:
echo -n "hello from nc" | nc 127.0.0.1 9090
Here is server output for both cases:
QTcpServer started on port 9090
New incoming connection
Data received: hello from php (len = 14)
New incoming connection
Data received: hello from nc (len = 13)
I have server in C++ writen with boost.asio and php client. when i send over small amount of data i get all the data but when i send long string i loose most of it.
Here is the part where i send data from my server, it says i have sent out 65536 bytes
void handle_write(const boost::system::error_code& /*error*/,
size_t size/*bytes_transferred*/) {
cout <<size<<endl;
}
void handler_read(const boost::system::error_code&, std::size_t size) {
istream is(&buffer);
string myString;
getline(is, myString);
Manager myManager(myString);
string response = myManager.getResponse();
boost::asio::async_write(socket_,
boost::asio::buffer(response),
boost::bind(&tcp_connection::handle_write, shared_from_this(),
boost::asio::placeholders::error,
boost::asio::placeholders::bytes_transferred));
}
Here i make the string i will be sending
string getMap(string name, string pass) {
if (name == "admin" && pass == "123") {
string response = "";
ConvertTypes types;
response = types.intToString(MAP_HEIGHT) + " ";
response += types.intToString(MAP_WIDTH) + "\r\n";
for (int i=0; i<MAP_HEIGHT;i++) {
for (int j=0;j<MAP_WIDTH;j++) {
response += types.intToString(
worldMap[i][j].getHeight()) + " ";
response += types.intToString(
worldMap[i][j].getIsTown()) + " ";
response += string (1, worldMap[i][j].getTetrain())
+"\r\n";
}
}
return response;
} else {
return "";
}
}
On php side i read the sent data, stream_get_meta_data says i only received 8183 bytes of data.
print_r($this->socket->getStatus());
for ($i=0; $i<$MAP_HEIGHT;$i++) {
for ($j=0; $j<$MAP_WIDTH;$j++) {
$this->response = $this->socket->readLine();
$this->response = explode(' ', $this->response);
echo "<p>";
echo "$i $j <br>";
print_r($this->response);
echo '<br>';
print_r($keyArray);
$map[$i][$j] = array_combine($keyArray, $this->response);
$this->response = $this->socket->readLine();
} }
}
You can send one large block via socket, but receiving side might get several blocks of smaller sizes, for example:
send -> 10000 bytes
receive <- 3000 bytes
receive <- 2000 bytes
receive <- 4500 bytes
receive <- 500 bytes
this is only an example, TCP does not guarantee send and receive blocks will be the same size.
I've found a answer. I was sending data from server in unsafe way. When async_write gave up controll to something else rest of the data was lost.
You have to pass string to this class:
class shared_const_buffer {
public:
// Construct from a std::string.
explicit shared_const_buffer(const std::string& data)
: data_(new std::vector<char>(data.begin(), data.end())),
buffer_(boost::asio::buffer(*data_))
{
}
// Implement the ConstBufferSequence requirements.
typedef boost::asio::const_buffer value_type;
typedef const boost::asio::const_buffer* const_iterator;
const boost::asio::const_buffer* begin() const { return &buffer_; }
const boost::asio::const_buffer* end() const { return &buffer_ + 1; }
private:
boost::shared_ptr<std::vector<char> > data_;
boost::asio::const_buffer buffer_;
};
and send this buffer not raw string. That way you don't loose data.