CURLOPT_POST vs. CURLOPT_POSTFIELDS: Is CURLOPT_POST option required? - php

I'm new to cURL in PHP. I have a question regarding usage of curl options.
Consider two script files: test1.php and test2.php both present in root www. I'm using Ubuntu 12.04 LTS. The libcurl version for PHP is 7.22.0.
Contents of test1.php
<?php
$ch = curl_init();
$post_data = array(
'firstname' => 'John',
'lastname' => 'Doe'
);
curl_setopt($ch, CURLOPT_URL, 'localhost/test2.php');
curl_setopt($ch, CURLOPT_POST, TRUE); //is it optional?
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
curl_exec($ch);
curl_close($ch);
?>
Contents of test2.php
<?php
var_dump($_POST);
?>
When I execute test1.php via browser, I can see results posted. Now if I remove curl option containing CURLOPT_POST, the example still works. Even if I set CURLOPT_POST to false, post is performed and result is displayed. So, is that CURLOPT_POST not required at all? It looks option CURLOPT_POSTFIELDS takes care of sending data via POST without use of CURLOPT_POST option. When I print $_SERVER in test2.php, request method is always set to POST (with or without option CURLOPT_POST).
Could anyone please let me know the exact use of CURLOPT_POST option? Is it neccessary required for sending data via POST?

You are correct. CURLOPT_POSTFIELDS implies CURLOPT_POST. You don't need to use CURLOPT_POST while using CURLOPT_POSTFIELDS. The request method will always be set to POST in this case.
Note that this is in your case as long as you want it to be a POST request.
If you don't want to be it a POST request but set CURLOPT_POSTFIELDS, please see this related Q&A:
How to switch from POST to GET in PHP CURL

For future reference the API document say this about CURLOPT_POST
Summary:
A true parameter tells the library to do a regular HTTP post. This will also make the library use the a "Content-Type: application/x-www-form-urlencoded" header. (This is by far the most commonly used POST method).
Use the CURLOPT_POSTFIELDS option to specify what data to post and CURLOPT_POSTFIELDSIZE to set the data size. Optionally, you can provide data to POST using the CURLOPT_READFUNCTION and CURLOPT_READDATA options.
You can override the default POST Content-Type: header by setting your own with CURLOPT_HTTPHEADER.
Using POST with HTTP 1.1 implies the use of a "Expect: 100-continue" header. You can disable this header with CURLOPT_HTTPHEADER as usual.
If you use POST to a HTTP 1.1 server, you can send data without knowing the size before starting the POST if you use chunked encoding. You enable this by adding a header like "Transfer-Encoding: chunked" with CURLOPT_HTTPHEADER. With HTTP 1.0 or without chunked transfer, you must specify the size in the request.
if you have issued a POST request and want to make a HEAD or GET instead, you must explicitly pick the new request type using CURLOPT_NOBODY or CURLOPT_HTTPGET or similar.
I'm testing right now whether setting the CURLOPT_POST to try will override my CURLOPT_HTTPHEADER, "Content-Type: application/json; charset=utf-8" setting.

Related

PHP redirection with code 307 changes method from POST to GET

In my PHP software I have an self-update feature which sends a HTTP request with the POST method to a certain URL (to a PHP script). Now this URL has changed (I moved the script to another directory), but to stay backward compatible I want to use the script at the old URL to redirect the POST request to the new location. I tried to use the HTTP 307 status code but the second time PHP makes the request, it changes the method from POST to GET, although it must not do this (at least I though this is what the 307 code is for). I use PHP 5.4.29 on Windows 7 as Apache (2.2.27) module and I sniffed the traffic to make sure that HTTP 1.1 is used in the request and the response.
This is how I make a POST request:
<?php
$requestData = http_build_query(
array(
"param1" => "value1",
// and so on...
)
);
$requestOptions = array("http"=>
array
(
"protocol_version"=>"1.1",
"method"=>"POST",
"header"=>array(
"Content-type: application/x-www-form-urlencoded",
"Connection: close",
),
"content"=>$requestData,
)
);
$requestContext = stream_context_create($requestOptions);
$serverResponse = #file_get_contents("http://localhost/old/long/path/update.php", false, $requestContext);
?>
I tried to redirect manually and automatically by PHP:
<?php
// Redirect manually
header("HTTP/1.1 307 Temporary Redirect");
header("Location: http://localhost/update.php");
// or redirect automatically
header("Location: http://localhost/update.php", true, 307);
?>
According to the sniffed data, everything looks normal. HTTP 1.1 is used in request and response and code 307 is used. But the second time PHP sends the request (to the new location, still with HTTP 1.1, ..) it simply changes the method to GET and my POST payload is lost.
Again: This is not a user / browser redirection - I redirect PHP. I make my request myself and manually though my software and I want to redirect it to a new location. This has nothing to do with a security related topic.
It looks like file_get_contents does not repost the data, possibly for the reason highlighted by #daiscog.
Curl however will repost to the redirected url:
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, 'http://localhost/old/long/path/update.php');
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_FRESH_CONNECT, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $requestData);
$serverResponse = curl_exec($ch);
However it would make more sense to either handle this at the server level (eg an Apache url rewrite) or to simply include the new file in the old one:
//old.php
include('path/to/new.php');
The W3C HTTP/1.1 specification for 307 states:
If the 307 status code is received in response to a request other than
GET or HEAD, the user agent MUST NOT automatically redirect the
request unless it can be confirmed by the user, since this might
change the conditions under which the request was issued.
The point behind this is that it is unsafe for a server to tell a client to POST to a different URL as that may be a malicious attempt to get the client to send data somewhere the user did not intend, so POST redirections are not possible.

unset curl CURLOPT_POSTFIELDS

I have an PHP class which is used to POST some data to a server, and GET some data back using the same open connection.
The problem is that this code will try to POST data from 1st request, in the 2nd request...
curl_setopt(self::$ecurl, CURLOPT_CUSTOMREQUEST, "PUT");
curl_setopt(self::$ecurl, CURLOPT_POSTFIELDS, $data);
$request=curl_exec(self::$ecurl);
curl_setopt(self::$ecurl, CURLOPT_CUSTOMREQUEST, "GET");
$request=curl_exec(self::$ecurl);
So i need the way to unset CURLOPT_POSTFIELDS. I tried to use curl_setopt(self::$ecurl, CURLOPT_POSTFIELDS, null);, but anyway curl send Posting 0 bytes... in request's header.
Also please note, that i need to use exactly the same connection, so I can't create another connection via curl_init.
Set the CURLOPT_HTTPGET to true prior to the last request.
From PHP.net:
CURLOPT_HTTPGET
TRUE to reset the HTTP request method to GET. Since GET is the default, this is only necessary if the request method has been changed.
You could add your curl options into an array and use curl_setopt_array
This will make it easy to unset (or set) your options array elements.
$options = array(
CURLOPT_URL => 'http://www.example.com/',
CURLOPT_CUSTOMREQUEST => 'PUT',
CURLOPT_POSTFIELDS => $post_data
);
// condition on which you want to unset
if ($condition == true) {
unset($options[CURLOPT_POSTFIELDS]);
}
...
curl_setopt_array($ch, $options);
// grab URL and pass it to the browser
curl_exec($ch);
I understand this was an old question but still think this method can be handy.

Confused about CURLOPT_HTTPGET and CURLOPT_POST options

I'm confused about why there are two options related to setting the request type. They seem redundant to me. From the PHP manual page for curl_setopt():
CURLOPT_POST
TRUE to do a regular HTTP POST. This POST is the normal application/x-www-form-urlencoded kind, most commonly used by HTML forms.
CURLOPT_HTTPGET
TRUE to reset the HTTP request method to GET. Since GET is the default, this is only necessary if the request method has been changed.
If I'm understanding this correctly, by default cURL makes GET requests, but the request type can be changed to POST by doing:
curl_setopt($ch, CURLOPT_POST, true);
However, to change back to GET requests, in addition to doing this:
curl_setopt($ch, CURLOPT_POST, false);
You also have to do this?
curl_setopt($ch, CURLOPT_HTTPGET, true);
You need to look at the libcurl documentation for further insight into the differences between the options as they are quite subtle. The key seems to be if you're reusing the curl handle between requests.
CURLOPT_HTTPGET: Forces the HTTP request to get back to using GET, if a POST, HEAD, PUT, etc has been used previously using the same curl handle.
CURLOPT_POST: Regular POST request using a "Content-Type: application/x-www-form-urlencoded" header which is typically the kind used when submitting HTML forms. The header can then optionally be overriden using CURLOPT_HTTPHEADER.

Right way to set the OAuth Authorization header?

I want to set a request header for a url xyz.com
is it the right way to set it in php?
header('Authorization: AuthSub token="xxxxxx"');
header('location:https://www.google.com/accounts/AuthSubRevokeToken');
I am trying to set the header for this URL for a call.But the Authorization: AuthSub header doesnt shows up in the request headers section of the FireFox NET panel.Which is used to show the requests.
Any idea about it?
Thanx.
I was using curl previously,But it didnt seemed to issue any request as i cant see it in the NET panel of FireFox.
Code is as follows:
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL,"https://www.google.com/accounts/AuthSubRevokeToken");
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_FAILONERROR, true);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($curl, CURLOPT_HTTPHEADER, array('Authorization: AuthSub token="1/xxx"'
));
$result = curl_exec($curl);
curl_close($curl);
echo 'hererer'.$result;exit;
header sets response headers, not request headers. (If you were trying to send a HTTP request elsewhere, it would have no effect.)
Please also note what the manual says about Remember that header() must be called before any actual output is sent, ....
And turn on error_reporting(E_ALL); before using header() to see if that is the issue for you.
Header names and values need to be separated by one colon plus a space, so the location "header" is just wrong, it should be:
header('Location: https://www.google.com/accounts/AuthSubRevokeToken');
(It's common to write the case this way, too, but not a need)
Next to that the header function is setting response headers, not request headers. So you're basically using the wrong tool.
In PHP you can not set request headers, that's part of the client (e.g. browser), not the server. So header just looks wrong here. Which HTTP client are you using?
A call, as in using CURL to request another page? The header() function applies only for web-browser<->server communications. It cannot affect any requests your server-side script does to other webservers. For that, you need to modify the particular method you're using, e.g. curl or streams.
For curl, see CURLOPT_HTTPHEADER here: http://php.net/curl_setopt

php to translate GET request to POST request

i have a hosted script somewhere that only accept POST request.
example, some.hosted/script.php
how can i setup another simple php that can accept GET request and then POST it to the hosted script.
so that i can put up a link like this: other.site/post2hostedscript.php?postthis=data
and then it POST postthis=data to the hosted script.
tnx
edit:
post2hostedscript.php do not give any result.
the result will go directly to some.hosted/script.php
just as if the user POST directly at the hosted script.
Your post2hostedscript.php will have to :
Fetch all parameters received as GET
Construct a POST query
Send it
And, probably, return the result of that POST request.
This can probably be done using curl, for instance ; something like this should get you started :
$queryString = $_SERVER['QUERY_STRING'];
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "http://www.othersite.com/post2hostedscript.php");
curl_setopt($ch, CURLOPT_HEADER, false);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, false);
curl_setopt($ch, CURLOPT_POSTFIELDS, $queryString);
curl_exec($ch);
curl_close($ch);
For a list of options that can be used with curl, you can take a look at the page of curl_setopt.
Here, you'll have to use, at least :
CURLOPT_POST : as you want to send a POST request, and not a GET
CURLOPT_RETURNTRANSFER : depending on whether you want curl_exec to return the result of the request, or to just output it.
CURLOPT_POSTFIELDS : The data that will be posted -- i.e. what you have in the query string of your incoming request.
And note that the response from the POST request might include some interesting HTTP header -- if needed, you'll have to fetch them (see the CURLOPT_HEADER option), and re-send the interesting ones in your own response (see the header function).
Take a look at the "curl" functions, they provide everything you need.
You might consider replacing all instances of $_POST in the old script to $_REQUEST, which will result in it accepting both GET and POST alike.

Categories