I try to login on steam using the following code.
steamcommunity.com/login/getrsakey first request is successful.
Request a steamcommunity.com/login/dologin/ all the time gives an error incorrect login.
Perhaps dealing with encryption password or need to add ssl.
I use to encrypt library on http://phpseclib.sourceforge.net/
function geturl($url, $ref, $cookie, $postdata, $header, &$info, &$output)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt ($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36');
if ($ref)
{
curl_setopt($ch, CURLOPT_REFERER, $ref);
}
if ($cookie)
{
curl_setopt($ch, CURLOPT_COOKIE, $cookie);
}
if ($postdata)
{
curl_setopt($ch, CURLOPT_POST, true);
$postStr = "";
foreach ($postdata as $key => $value)
{
if ($postStr)
$postStr .= "&";
$postStr .= $key . "=" . $value;
}
curl_setopt($ch, CURLOPT_POSTFIELDS, $postStr);
}
curl_setopt($ch, CURLOPT_HEADER, $header);
$info = curl_getinfo($ch);
$output = curl_exec($ch);
curl_close($ch);
}
geturl("https://steamcommunity.com/login/getrsakey", null, null, array('username' => $login), 0, $info, $output);
$data = json_decode($output, true);
if ($data['success'] === true)
{
$publickey_exp = $data['publickey_exp'];
$publickey_mod = $data['publickey_mod'];
$RSA = new Crypt_RSA();
$RSA->setEncryptionMode(CRYPT_RSA_ENCRYPTION_PKCS1);
$n = new Math_BigInteger($publickey_mod, 16);
$e = new Math_BigInteger($publickey_exp, 16);
$key = array("modulus"=>$n, "publicExponent"=>$e);
$RSA->loadKey($key, CRYPT_RSA_PUBLIC_FORMAT_RAW);
$encryptedPassword = base64_encode($RSA->encrypt($password, false));
$captchaGid = -1;
$captchaText;
$emailAuth;
$emailSteamId;
$params = array(
'username' => $login,
'password' => $encryptedPassword,
'rsatimestamp' => $data['timestamp'],
'captcha_gid' => $captchaGid,
'captcha_text' => $captchaText,
'emailauth' => $emailAuth,
'emailsteamid' => $emailSteamId
);
geturl("https://steamcommunity.com/login/dologin/", null, null, $params, 0, $info, $output);
$data = json_decode($output, true);
var_dump($data);
if ($data['captcha_needed'])
{
$captchaGid = $data['captcha_gid'];
echo '<img src="https://steamcommunity.com/public/captcha.php?gid=' . $captchaGid . '">';
}
}
I think it would be better to use third-part libraries to auth.
Check this one: https://github.com/SmItH197/SteamAuthentication
It creates login button like "Sign in via Facebook".
EDIT: Steam has alsow his own API https://steamcommunity.com/dev
I can't be sure, but it looks like you are attempting to log a user into your site using Steam as the login method. Is this what you are attempting to do? If so, I recommend using the LightOpenID library.
<?php
require 'includes/lightopenid/openid.php';
$_STEAMAPI = "YOURSTEAMAPIKEY";
try
{
$openid = new LightOpenID('http://URL.TO.REDIRECT.TO.AFTER.LOGIN/');
if(!$openid->mode)
{
if(isset($_GET['login']))
{
$openid->identity = 'http://steamcommunity.com/openid/?l=english'; // This is forcing english because it has a weird habit of selecting a random language otherwise
header('Location: ' . $openid->authUrl());
}
?>
<form action="?login" method="post">
<input type="image" src="http://cdn.steamcommunity.com/public/images/signinthroughsteam/sits_small.png">
</form>
<?php
}
elseif($openid->mode == 'cancel')
{
echo 'User has canceled authentication!';
}
else
{
if($openid->validate())
{
$id = $openid->identity;
// identity is something like: http://steamcommunity.com/openid/id/76561197960435530
// we only care about the unique account ID at the end of the URL.
$ptn = "/^http:\/\/steamcommunity\.com\/openid\/id\/(7[0-9]{15,25}+)$/";
preg_match($ptn, $id, $matches);
echo "User is logged in (steamID: $matches[1])\n";
// $matches[1] is the profile ID you will want to use for additional API calls
}
else
{
echo "User is not logged in.\n";
}
}
}
catch(ErrorException $e)
{
echo $e->getMessage();
}
?>
At the end of this login, you will have the user's profile ID (ie. 76561197960435530) which you can use against many of the API's that Steam provides to gather further information on the player.
Use "urlencode()" function
$encryptedPassword = urlencode(base64_encode($RSA->encrypt($password, false)));
Related
I am trying to use cURL to automatic login into this site: GSC. The site is build using ASP.NET. I first perform a GET request to get session id, which works just fine. I then need to person a POST request to the same site with session id, username, password and some login position. The login position changes based on the window size of the browser, so I just choose some random ones. I've left of the username and password below, but I've checked them several times and the are correct. In Chrome I can see that there is also a query string parameter, but I'm not sure If I should include this anywhere? I've included two pictures the request + response I made manually in a Chrome Browser and the php script I'm using for the automatic login. Can anybody see, if I made any errors?
Request + response:
PHP script:
function get_headers_from_curl_response($headerContent)
{
$headers = array();
// Split the string on every "double" new line.
$arrRequests = explode("\r\n\r\n", $headerContent);
// Loop of response headers. The "count() -1" is to
//avoid an empty row for the extra line break before the body of the response.
for ($index = 0; $index < count($arrRequests) -1; $index++) {
foreach (explode("\r\n", $arrRequests[$index]) as $i => $line)
{
if ($i === 0)
$headers[$index]['http_code'] = $line;
else
{
list ($key, $value) = explode(': ', $line);
$headers[$index][$key] = $value;
}
}
}
return $headers;
}
function regexExtract($text, $regex, $regs, $nthValue)
{
if (preg_match($regex, $text, $regs)) {
$result = $regs[$nthValue];
}
else {
$result = "";
}
return $result;
}
$regexViewstate = '/__VIEWSTATE\" value=\"(.*)\"/i';
$regexEventVal = '/__EVENTVALIDATION\" value=\"(.*)\"/i';
$ch = curl_init("http://gsc.klub-modul.dk/cms/ShowContentPage.aspx?ContentPageID=1");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
$response = curl_exec($ch);
curl_close($ch);
$viewstate = regexExtract($response,$regexViewstate,$regs,1);
$eventval = regexExtract($response, $regexEventVal,$regs,1);
$params = array(
'__EVENTTARGET' => '',
'__EVENTARGUMENT' => '',
'__VIEWSTATE' => $viewstate,
'__EVENTVALIDATION' => $eventval,
'ctl00%24txtUsername' => 'xxx',
'ctl00%24txtPassword' => 'xxx',
'ctl00$ImgLogin.x' => '0',
'ctl00$ImgLogin.y' => '0',
);
$ch2 = curl_init("http://gsc.klub-modul.dk/cms/ShowContentPage.aspx?ContentPageID=1");
curl_setopt($ch2, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch2, CURLOPT_HEADER, 1);
curl_setopt ($ch2, CURLOPT_POST, true);
curl_setopt($ch2, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($ch2, CURLOPT_POSTFIELDS, http_build_query($params));
curl_setopt ($ch2, CURLOPT_COOKIE,'cookies.txt');
curl_setopt($ch2,CURLOPT_COOKIEJAR,'cookies2.txt');
$response2 = curl_exec($ch2);
curl_close($ch2);
foreach(get_headers_from_curl_response($response2) as $value)
{
foreach($value as $key => $value2)
{
echo $key . ": " .$value2 . "<br />";
}
}
Your code looks clean to me, unless you didn't make any mistake elsewhere. Just one thing you need to fix:
'ctl00$txtUsername' => 'xxx',
'ctl00$txtPassword' => 'xxx',
You are using %24 inside the keys, which further urlencoded by the function http_build_query()
i was creating a small app using jquery mobile with server side language as php,so i want to import all my google contacts (Names,Numbers & Email) into a mysql database using the OAuth. Currently im using the following script which can grab only email addresses but is there a way for the same to import names & numbers as well?
<html>
<head>
<meta name="robots" content="noindex" />
<title>Email address list - Import Gmail or Google contacts</title>
<style type="text/css">
a:link {color:Chocolate;text-decoration: none;}
a:hover {color:CornflowerBlue;}
.logo{width:100%;height:110px;border:2px solid black;background-color:#666666;}
</style>
</head>
<body>
<div class="logo" >
<a href="http://25labs.com/" >
<img style="padding-top: 10px;" src="http://25labs.com/wp-content/themes/TheStyle/images/logo.png"></img>
</a>
</div>
<br/>
<div><b>Visit Tutorial: </b><a style="font-size:17px;" href="http://25labs.com/import-gmail-or-google-contacts-using-google-contacts-data-api-3-0-and-oauth-2-0-in-php/" >Import Gmail or Google contacts using Google Contacts Data API 3.0 and OAuth 2.0 in PHP</a></div>
<br/>
<div style="padding-left: 50px;">
<?php
$client_id = '';
$client_secret = '';
$redirect_uri = '';
$max_results = 1000;
$auth_code = $_GET["code"];
function curl_file_get_contents($url)
{
$curl = curl_init();
$userAgent = 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)';
curl_setopt($curl,CURLOPT_URL,$url); //The URL to fetch. This can also be set when initializing a session with curl_init().
curl_setopt($curl,CURLOPT_RETURNTRANSFER,TRUE); //TRUE to return the transfer as a string of the return value of curl_exec() instead of outputting it out directly.
curl_setopt($curl,CURLOPT_CONNECTTIMEOUT,5); //The number of seconds to wait while trying to connect.
curl_setopt($curl, CURLOPT_USERAGENT, $userAgent); //The contents of the "User-Agent: " header to be used in a HTTP request.
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, TRUE); //To follow any "Location: " header that the server sends as part of the HTTP header.
curl_setopt($curl, CURLOPT_AUTOREFERER, TRUE); //To automatically set the Referer: field in requests where it follows a Location: redirect.
curl_setopt($curl, CURLOPT_TIMEOUT, 10); //The maximum number of seconds to allow cURL functions to execute.
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 0); //To stop cURL from verifying the peer's certificate.
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 0);
$contents = curl_exec($curl);
curl_close($curl);
return $contents;
}
$fields=array(
'code'=> urlencode($auth_code),
'client_id'=> urlencode($client_id),
'client_secret'=> urlencode($client_secret),
'redirect_uri'=> urlencode($redirect_uri),
'grant_type'=> urlencode('authorization_code')
);
$post = '';
foreach($fields as $key=>$value) { $post .= $key.'='.$value.'&'; }
$post = rtrim($post,'&');
$curl = curl_init();
curl_setopt($curl,CURLOPT_URL,'https://accounts.google.com/o/oauth2/token');
curl_setopt($curl,CURLOPT_POST,5);
curl_setopt($curl,CURLOPT_POSTFIELDS,$post);
curl_setopt($curl, CURLOPT_RETURNTRANSFER,TRUE);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER,0);
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST,0);
$result = curl_exec($curl);
curl_close($curl);
$response = json_decode($result);
$accesstoken = $response->access_token;
$url = 'https://www.google.com/m8/feeds/contacts/default/full?max-results='.$max_results.'&oauth_token='.$accesstoken;
$xmlresponse = curl_file_get_contents($url);
if((strlen(stristr($xmlresponse,'Authorization required'))>0) && (strlen(stristr($xmlresponse,'Error '))>0))
{
echo "<h2>OOPS !! Something went wrong. Please try reloading the page.</h2>";
exit();
}
echo "<h3>Email Addresses:</h3>";
$xml = new SimpleXMLElement($xmlresponse);
$xml->registerXPathNamespace('gd', 'http://schemas.google.com/g/2005');
$result = $xml->xpath('//gd:email');
foreach ($result as $title) {
echo $title->attributes()->address . "<br>";
}
?>
</div>
</body></html>
This code uses ZF2 client but you can get the idea:
$client = new \Zend\Http\Client('https://www.google.com/m8/feeds/contacts/default/full?max-results=100000&alt=json', array(
'adapter' => 'Zend\Http\Client\Adapter\Curl'
));
$client->setHeaders(array(
array('Authorization' => 'Bearer ' . $ACCESS_TOKEN)
));
$client->send();
if ($client->getResponse()->getStatusCode() != 200) {
return false;
} else {
$output = json_decode($client->getResponse()->getBody());
if ($output) {
$entries = $output->feed->entry;
foreach ($entries as $e) {
print_r($e); // here you can see all the available information
}
}
}
I am using PHP. I want to fetch all gmail contacts of a user, i am using a PHP code that is calling google API through CURL. But, when i am doing this on localhost, it is doing well and giving me all contacts.
But when i am doing this on online server that server in US, it is giving me response "Account Disabled" and also receiving a security mail by same user from google.
i am using below code :
function getGmailContacts($user, $password) {
//========================================== step 1: login ===========================================================
$login_url = "https://www.google.com/accounts/ClientLogin";
$fields = array(
'Email' => $user,
'Passwd' => $password,
'service' => 'cp', // <== contact list service code
'source' => 'test-google-contact-grabber',
'accountType' => 'GOOGLE',
);
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL,$login_url);
curl_setopt($curl, CURLOPT_POST, 1);
curl_setopt($curl, CURLOPT_POSTFIELDS,$fields);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
$result = curl_exec($curl);
$returns = array();
foreach (explode("\n",$result) as $line)
{
$line = trim($line);
if (!$line) continue;
list($k,$v) = explode("=",$line,2);
$returns[$k] = $v;
}
curl_close($curl);
//echo "<pre>";
//print_r($returns);exit;
if(!isset($returns['Error'])) {
//========================== step 2: grab the contact list ===========================================================
$feed_url = "http://www.google.com/m8/feeds/contacts/$user/full?alt=json&max-results=250";
$header = array(
'Authorization: GoogleLogin auth=' . $returns['Auth'],
);
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $feed_url);
curl_setopt($curl, CURLOPT_HTTPHEADER, $header);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
$result = curl_exec($curl);
curl_close($curl);
$data = json_decode($result, true);
//echo "<pre>";
//print_r($data);exit;
$contacts = array();
$i=0;
foreach ($data['feed']['entry'] as $entry)
{
//echo $i." ";
$entryElement = $entry;
if(isset($entryElement['gd$email'])) {
$gdEmailData = $entryElement['gd$email'][0];
//$contact->title = $entryElement['title']['$t'];
//$contact->email = $gdEmailData['address'];
$contacts[$gdEmailData['address']] = $entryElement['title']['$t'];
}
}
//var_dump($contacts);
//print_r($contacts);
return $contacts;
}
else {
if($returns['Error']=='BadAuthentication') {
//echo '<strong>User Name and Password is incorrect.</strong>';
$errorArr = array("Error"=>"User Name and Password is incorrect.");
//print_r($errorArr);
return $errorArr;
}
}
}
That mail contains that
"Someone recently tried to use an application to sign in to your
Google Account....Location: New York NY, New York, United States....."
.
I thing this error is occurring from location change.
can any one help me please? Thanks in advance.
I am trying to build a script that posts information into the RoyalMail tracking system and extracts the output.
What I currently have is getting an error from their server - see the link, somehow it is detecting that I am not using their website as per normal and throwing me an error.
Things I think I have taken into account:
Using an exact copy of their form by parsing it beforehand (the post parameters)
Saving the cookies between each request
Accepting redirect headers
Providing a refer header that is actually valid (the previously visited page)
Does anyone know anything else I need to check or can figure out what I am doing wrong?
A full copy of the source is at EDIT: please see my answer below
Websites usually use 2 ways to detect if you are a human or a bot: HTTP REFERER and USER AGENT. I suggest you use Curl it specified user agent and referer (replace 'http://something/' with real URL of a page you would normally visit before navigating to the url you want to download with PHP):
<?php
$url = 'http://track2.royalmail.com/portal/rm/track';
$html = file_get_contents2($url, '');
$post['_dyncharset'] = 'ISO-8859-1';
$post['trackConsigniaPage'] = 'track';
$post['/rmg/track/RMTrackFormHandler.value.searchCompleteUrl'] = '/portal/rm/trackresults?catId=22700601&pageId=trt_rmresultspage';
$post['_D:/rmg/track/RMTrackFormHandler.value.searchCompleteUrl'] = '';
$post['/rmg/track/RMTrackFormHandler.value.invalidInputUrl'] = '/portal/rm/trackresults?catId=22700601&pageId=trt_rmresultspage&keyname=track_blank';
$post['_D:/rmg/track/RMTrackFormHandler.value.invalidInputUrl'] = '';
$post['/rmg/track/RMTrackFormHandler.value.searchBusyUrl'] = '/portal/rm/trackresults?catId=22700601&pageId=trt_busypage&keyname=3E_track';
$post['_D:/rmg/track/RMTrackFormHandler.value.searchBusyUrl'] = '';
$post['/rmg/track/RMTrackFormHandler.value.searchWaitUrl'] = '/portal/rm/trackresults?catId=22700601&timeout=true&pageId=trt_timeoutpage&keyname=3E_track';
$post['_D:/rmg/track/RMTrackFormHandler.value.searchWaitUrl'] = '';
$post['/rmg/track/RMTrackFormHandler.value.keyname'] = '3E_track';
$post['_D:/rmg/track/RMTrackFormHandler.value.keyname'] = '';
$post['/rmg/track/RMTrackFormHandler.value.previousTrackingNumber'] = '';
$post['_D:/rmg/track/RMTrackFormHandler.value.previousTrackingNumber'] = '';
$post['/rmg/track/RMTrackFormHandler.value.trackingNumber'] = 'ZW791944749GB';
$post['_D:/rmg/track/RMTrackFormHandler.value.trackingNumber'] = '';
$post['/rmg/track/RMTrackFormHandler.track.x'] = '50';
$post['/rmg/track/RMTrackFormHandler.track.y'] = '14';
$post['_D:/rmg/track/RMTrackFormHandler.track'] = '';
$post['/rmg/track/RMTrackFormHandler.value.day'] = '19';
$post['_D:/rmg/track/RMTrackFormHandler.value.day'] = '';
$post['/rmg/track/RMTrackFormHandler.value.month'] = '5';
$post['_D:/rmg/track/RMTrackFormHandler.value.month'] = '';
$post['/rmg/track/RMTrackFormHandler.value.year'] = '2012';
$post['_D:/rmg/track/RMTrackFormHandler.value.year'] = '';
$post['_DARGS'] = '/portal/rmgroup/apps/templates/html/rm/rmTrackResultPage.jsp';
$url2 = 'http://track2.royalmail.com/portal/rm?_DARGS=/portal/rmgroup/apps/templates/html/rm/rmTrackAndTraceForm.jsp';
$html2 = file_get_contents2($url2, $url, $post);
echo $html2;
function file_get_contents2($address, $referer, $post = false)
{
$useragent = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1";
$c = curl_init();
curl_setopt($c, CURLOPT_URL, $address);
curl_setopt($c, CURLOPT_USERAGENT, $useragent);
curl_setopt($c, CURLOPT_HEADER, 0);
curl_setopt($c, CURLOPT_RETURNTRANSFER, 1);
if ($post)
{
$postF = http_build_query($post);
curl_setopt($c, CURLOPT_POST, true);
curl_setopt($c, CURLOPT_POSTFIELDS, $postF);
}
curl_setopt($c, CURLOPT_COOKIEJAR, 'cookie.txt');
//curl_setopt($c, CURLOPT_FRESH_CONNECT, 1);
curl_setopt($c, CURLOPT_REFERER, $referer);
curl_setopt($c, CURLOPT_FOLLOWLOCATION, 1);
if (!$data = curl_exec($c))
{
return false;
}
return $data;
}
The above updated code returned me:
Item ZW791944749GB was posted at 1 High Street RG17 9TJ on 19/05/12 and is being progressed through our network for delivery.
So it seems it works.
I have now fixed it, the problem was with PHP curl and following redirects, it seems that it doesn't always post the request data and sends a GET request when following.
To deal with this I disabled curl follow location with curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false); and then built a follow location system myself that works recursively. Essentially it extracts the location header from the response, checks for a 301 or a 302 and then runs the method again as required.
This means the information will definitely be POSTED again.
I also improved the user agent string, simply copying my current one on the basis it won't be blocked for a long while as in 2012 it is in active use!
Here is a final copy of the curl class (in case the link dies - been down voted for that in the past) which is working:
/**
* Make a curl request respecting redirects
* Also supports posts
*/
class pegCurlRequest {
private $url, $postFields = array(), $referer = NULL, $timeout = 3;
private $debug = false, $postString = "";
private $curlInfo = array();
private $content = "";
private $response_meta_info = array();
static $cookie;
function __construct($url, $postFields = array(), $referer = NULL, $timeout = 3) {
$this->setUrl($url);
$this->setPost($postFields);
$this->setReferer($referer);
$this->setTimeout($timeout);
if(empty(self::$cookie)) self::$cookie = tempnam("/tmp", "pegCurlRequest"); //one time cookie
}
function setUrl($url) {
$this->url = $url;
}
function setTimeout($timeout) {
$this->timeout = $timeout;
}
function setPost($postFields) {
if(is_array($postFields)) {
$this->postFields = $postFields;
}
$this->updatePostString();
}
function updatePostString() {
//Cope with posting
$this->postString = "";
if(!empty($this->postFields)) {
foreach($this->postFields as $key=>$value) { $this->postString .= $key.'='.$value.'&'; }
$this->postString= rtrim($this->postString,'&'); //Trim off the waste
}
}
function setReferer($referer) {
//Set a referee either specified or based on the url
$this->referer = $referer;
}
function debugInfo() {
//Debug
if($this->debug) {
echo "<table><tr><td colspan='2'><b><u>Pre Curl Request</b><u></td></tr>";
echo "<tr><td><b>URL: </b></td><td>{$this->url}</td></tr>";
if(!empty(self::$cookie)) echo "<tr><td><b>Cookie String: </b></td><td>".self::$cookie."</td></tr>";
if(!empty($this->referer)) echo "<tr><td><b>Referer: </b></td><td>".$this->referer."</td></tr>";
if(!empty($this->postString)) echo "<tr><td><b>Post String: </b></td><td>".$this->postString."</td></tr>";
if(!empty($this->postFields)) {
echo "<tr><td><b>Post Values:</b></td><td><table>";
foreach($this->postFields as $key=>$value)
echo "<tr><td>$key</td><td>$value</td></tr>";
echo "</table>";
}
echo "</td></tr></table><br />\n";
}
}
function debugFurtherInfo() {
//Debug
if($this->debug) {
echo "<table><tr><td colspan='2'><b><u>Post Curl Request</b><u></td></tr>";
echo "<tr><td><b>URL: </b></td><td>{$this->url}</td></tr>";
if(!empty($this->referer)) echo "<tr><td><b>Referer: </b></td><td>".$this->referer."</td></tr>";
if(!empty($this->curlInfo)) {
echo "<tr><td><b>Curl Info:</b></td><td><table>";
foreach($this->curlInfo as $key=>$value)
echo "<tr><td>$key</td><td>$value</td></tr>";
echo "</table>";
}
echo "</td></tr></table><br />\n";
}
}
/**
* Make the actual request
*/
function makeRequest($url=NULL) {
//Shorthand request
if(!is_null($url))
$this->setUrl($url);
//Output debug info
$this->debugInfo();
//Using a shared cookie
$cookie = self::$cookie;
//Setting up the starting information
$ch = curl_init();
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.11 Safari/536.11" );
curl_setopt($ch, CURLOPT_URL, $this->url);
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false);
curl_setopt($ch, CURLOPT_ENCODING, "gzip");
//register a callback function which will process the headers
//this assumes your code is into a class method, and uses $this->readHeader as the callback //function
curl_setopt($ch, CURLOPT_HEADERFUNCTION, array(&$this,'readHeader'));
//Some servers (like Lighttpd) will not process the curl request without this header and will return error code 417 instead.
curl_setopt($ch, CURLOPT_HTTPHEADER, array("Expect:"));
//Referer
if(empty($this->referer)) {
curl_setopt($ch, CURLOPT_REFERER, dirname($this->url));
} else {
curl_setopt($ch, CURLOPT_REFERER, $this->referer);
}
//Posts
if(!empty($this->postFields)) {
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $this->postString);
}
//Redirects, transfers and timeouts
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_AUTOREFERER, false);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $this->timeout);
curl_setopt($ch, CURLOPT_TIMEOUT, $this->timeout);
curl_setopt($ch, CURLOPT_MAXREDIRS, 10);
//Debug
if($this->debug) {
curl_setopt($ch, CURLOPT_VERBOSE, true); // logging stuffs
curl_setopt($ch, CURLINFO_HEADER_OUT, true); // enable tracking
}
//Get the content and the header info
$content = curl_exec($ch);
$response = curl_getinfo($ch);
//get the default response headers
$headers = curl_getinfo($ch);
//add the headers from the custom headers callback function
$this->response_meta_info = array_merge($headers, $this->response_meta_info);
curl_close($ch); //be nice
//Curl info
$this->curlInfo = $response;
//Output debug info
$this->debugFurtherInfo();
//Are we being redirected?
if ($response['http_code'] == 301 || $response['http_code'] == 302) {
$location = $this->getHeaderLocation();
if(!empty($location)) { //the location exists
$this->setReferer($this->getTrueUrl()); //update referer
return $this->makeRequest($location); //recurse to location
}
}
//Is there a javascript redirect on the page?
elseif (preg_match("/window\.location\.replace\('(.*)'\)/i", $content, $value) ||
preg_match("/window\.location\=\"(.*)\"/i", $content, $value)) {
$this->setReferer($this->getTrueUrl()); //update referer
return $this->makeRequest($value[1]); //recursion
} else {
$this->content = $content; //set the content - final page
}
}
/**
* Get the url after any redirection
*/
function getTrueUrl() {
return $this->curlInfo['url'];
}
function __toString() {
return $this->content;
}
/**
* CURL callback function for reading and processing headers
* Override this for your needs
*
* #param object $ch
* #param string $header
* #return integer
*/
private function readHeader($ch, $header) {
//This is run for every header, use ifs to grab and add
$location = $this->extractCustomHeader('Location: ', '\n', $header);
if ($location) {
$this->response_meta_info['location'] = trim($location);
}
return strlen($header);
}
private function extractCustomHeader($start,$end,$header) {
$pattern = '/'. $start .'(.*?)'. $end .'/';
if (preg_match($pattern, $header, $result)) {
return $result[1];
} else {
return false;
}
}
function getHeaders() {
return $this->response_meta_info;
}
function getHeaderLocation() {
return $this->response_meta_info['location'];
}
}
Well first of all, you are talking about the Royal Mail. So I'm not sure if this simple little trick would trip them up...
But what you could try is spoofing your user agent with a quick ini_set() -
ini_set('user_agent', 'Mozilla/5.0 (X11; CrOS i686 1660.57.0) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.46 Safari/535.19'
That's an Ubuntu chrome user agent string.
The cURL user agent string would look quite different. For example:
curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
It's a long shot - but they might be rejecting requests that are not originating from recognized browsers.
I am trying to login to a form which has a hidden hash field. The problem is when I curl the page to get the hash, and when I include it as the post value in my next curl call (to the same page), the hash is not valid anymore since the succeeding curl cal is like the page refreshed already and it regenerated a new hash.
So how do I get the hash without simulating a refreshed page?
here is my sample code:
<?php
$la = new LoginAuth('http://site.tld/auth.php', 'username', 'password');
$result = $la->auth(0);
echo $result;
class LoginAuth
{
public $url;
public $usr;
public $pwd;
public $status;
private $last_url;
public function __construct($url, $usr, $pwd)
{
$this->url = $url;
$this->usr= $usr;
$this->pwd= $pwd;
}
public function get_hash()
{
$output = $this->curl($this->url, $this->last_url);
$hash = $this->match('!<input.*?name="hash".*?value="(.*?)"!ms', $output, 1);
return $hash;
}
public function auth($server)
{
$hash = $this->get_hash();
$auth_data = 'username=' . $this->usr . '&password=' . $this->pwd . '&server=' . $server . '&hash=' . $hash;
$output = $this->curl($this->url, $this->last_url, $auth_data);
$this->status = $output;
return $output;
}
private function curl($url, $referer = null, $post_param = null)
{
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (iPhone; U; CPU iPhone OS 2_2_1 like Mac OS X; en-us) AppleWebKit/525.18.1 (KHTML, like Gecko) Version/3.1.1 Mobile/5H11 Safari/525.20");
if($referer)
curl_setopt($ch, CURLOPT_REFERER, $referer);
if(!is_null($post_param))
{
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_param);
}
$html = curl_exec($ch);
$this->last_url = curl_getinfo($ch, CURLINFO_EFFECTIVE_URL);
curl_close($ch);
return $html;
}
private function match($regex, $str, $out_ary = 0)
{
return preg_match($regex, $str, $match) == 1 ? $match[$out_ary] : false;
}
}
/* End of file auth.php */
/* Location: ./auth.php */
The server is probably sending you a Set-Cookie header for a session id. It will store the hash someplace locally, and then compare the one you submit to that one IF you supply the session cookie back to it.
You'll need to read the session cookie out of the get_hash() response, and then submit it back in your auth() call.
I'd fire up firebug and check out the headers being sent back and forth when you do it by hand, there may be some other important ones as well.