I'm trying to understand the meaning of raw POST data. The PHP manual page for $HTTP_RAW_POST_DATA just state that this variable contains Raw POST data.
When will this variable be set and what's the meaning of raw POST data?
I understand the $_POST, but I am totally confused with $HTTP_RAW_POST_DATA.
An HTTP request consists of two parts. A set of headers and a body.
The headers include things like the URL being requested and caching control helpers (such as "I have a version of this from yesterday, only give me a new one if there are changes, OK?").
The body may or may not appear depending on the type of request. POST requests have bodies.
The body can be in any format the client likes. One of the headers will tell the server what the format is.
There are a couple of formats used by HTML forms, and PHP knows how to parse these and put the data into $_POST.
If the data is in another format, such as JSON, or if the data doesn't conform to PHP's quirks (such as the rules for having [] on the end of keys with the same name) then you might want to access the data directly so you can parse it yourself.
That is the raw POST data.
$_POST can be said to be an outcome after splitting the $HTTP_RAW_POST_DATA variable. PHP splits the raw post data and formats it in the way we see it in the $_POST array. For example:
$HTTP_RAW_POST_DATA looks something like this
key1=value1&key2=value2
then $_POST would look like this:
$_POST = array(
"key1" => "value1",
"key2" => "value2",);
HTTP is a text-based protocol, so all the data is passed as a strings. When you work with $_POST - you already have the passed data processed for you to be in an array form. This is done by PHP automatically right before the control is passed to your script.
So in the raw POST data there is data as it was passed through the network.
Likely you see a=1&b=2 data, as you see it in URLs.
One of things you can do with the HTTP protocol is do a POST request which sends some text back to the server.
$HTTP_RAW_POST_DATA will contain that text, no matter what it says.
Most of the time when we do a POST request, we will be adding a "content-type" to the text that is sent. This tells the server what sort of content it is. Most of the time on the web we are sending content type as 'application/x-www-form-urlencoded'.
When a server receives a POST request with this content type marker, the server will know to try to turn the data into a $_POST array so that "test=hello" becomes:
$_POST['test']='hello'
$HTTP_RAW_POST_DATA contains the raw POST data like in the following formats:
text
JSON
XML
HTML
In general, php://input should be used instead of $HTTP_RAW_POST_DATA. because this feature has been DEPRECATED as of PHP 5.6.0. Relying on this feature is highly discouraged.
Source: php.net - $HTTP_RAW_POST_DATA
Related
I am loading an external JSON file. Which seems to load fine. Im using this script to load it:
$file ="https://creator.zoho.com/api/json/los/view/All_clients?
authtoken=xxx";
$bors = file_get_contents($file);
When i dump the results, I get:
string(505) "var zohoappview55 = {"Borrowers":[{"Full_Name":"Mike Smith","Email":"dadf#gmail.com","Address":"111 S. Street Ct., Aurora, CO, 80012","Position":"Borrower","ID":"1159827000004784102","Mobile":"+13033324675","Application":"Application 1 - 1159827000004784096"},{"Full_Name":"Stacy Smith","Email":"sdfa#gmail.com","Address":"111 S. Street, 80012","Position":"Co-Borrower","ID":"1159827000004784108","Mobile":"+1303558977","Application":"Application 1 - 1159827000004784096"}]};"
Looks like the json has a predefined var zohoappview55 at the begining of the json. Not sure if this is my issue but when i use json_decode it doesn't not decode. If i remove this beginning variable it decodes just fine.
i don't have a way to change this variable or edit the json file as it's a remote file. Does anyone know how to decode it in the native format with the variable at the beginning?
Having a quick look through the API documentation of zoho, it seems it should normally return correct json. It may think that it's a browser requesting the file as a javascript source so you may need to add an Accept header to your request.
This cannot be done with file_get_contents so you will probably need to use curl instead.
Try to perform a normal php curl request with the header Accept: application/json.
See: PHP cURL custom headers for reference.
But as Alex Howansky said in the comment. The API might not be intended for that. In that case you will need to strip the beginning and end of the received document.
I have an API which sends data to a javascript which then throws the response into some input fields.
I wonder if I need to use htmlspecialchars on the json_encode? Like so:
json_encode(
array(
'some_text' => htmlspecialchars('Some special & characters'),
'maybe_html' => htmlspecialchars('some <b>html</b>'),
'etc' => htmlspecialchars('yo')
)
);
Certainly not. HTML entities make no difference or sense within JSON, and if the result is processed by Javascript and inserted into the document via the DOM API via appropriate methods, then escaping is not needed there either. Escaping should be done when data comes in contact with a specific output medium. Here the data must be correctly encoded as JSON (which json_encode does), HTML is nowhere to be found here. If anything, HTML escaping should be done in Javascript because it's closer to the HTML, but again, it's unnecessary since Javascript interacts with the DOM API and not HTML.
See The Great Escapism (Or: What You Need To Know To Work With Text Within Text)
Depends on what you're doing with the string data.
What is important is the correct header for the content type.
header('Content-type: application/json');
I'm building a very AJAX site which means posting a lot of information to the server, sometimes typed by a user.
this is how I'm posting things
xmlhttp.open("POST", 'somepage.php' ,true);
xmlhttp.setRequestHeader("Content-type","application/x-www-form-urlencoded");
xmlhttp.send('post=stuuf I want to send');
An example of my problem is this, someone types FOO BAR as their name which would post firstName=FOO&lastName=BAR
which in php gets you $_POST['firstName'] is FOO and $_POST['lastName'] is BAR
but if someone types the name FOO&BAR SMITH it would post like this firstName=FOO&BAR&lastName=SMITH
which in php gets you $_POST['firstName'] is FOO and $_POST['BAR'] which has no value and this start to fall apart. It means I have to replace & in everything that is posted and I'm finding it annoying.
Is there a way to tell php to ignore any &, and just send one big string. when I need to send multiple values I was planning to break them up with an '_' I could then replace any user typed _ with _ and never have to worry about it again.
Could this be done in .htaccess or if not then in the php file itself?
Thanks for any help
Don't do this on the PHP end... send a proper HTTP request! You are mangling all of your data client-side. If you're sending URL encoded data, send it URL encoded.
No, but you absolutely must escape your data before using it as a string inside the ajax request.
You should encode the data you want to sent using encodeURI or encodeURIComponent. That way you can send whatever characters you want.
I am intercepting a form post using jQuery. With the form fields I am creating a JSON object which is stored in a hidden form field. The value that is passed in to the form field is similar to the following:
{"Status" : "Closed", "Location" : "Glasgow", "Date" : "2012-02-15"}
But if I echo the object from the $_POST variable:
echo $_POST['JSON'];
It output's the following:
{\"Status\" : \"Closed\", \"Location\" : \"Glasgow\", \"Date\" : \"2012-02-15\"}
I have tried running this through stripslashes() and urldecode() but I have had no joy. I understand that I could just replace the back slashes with a replace function but thats a bit too much of a hack.
Has anyone came across this malfored JSON across post before?
Note: This is on the back end of a Wordpress site. I am unsure if that would cause this effect.
Looks like you server has magic_qoutes_gpc 'on'. (http://www.php.net/manual/en/security.magicquotes.what.php)
I came over the same problem once and all I did was using JSON.stringify() to store it as a "String" in my hidden Field and reading the output with jquery.parseJSON() method. Maybe this helps you ! With stringify you can also define a replacer for your JSON Object.
var myJSONText = JSON.stringify(myObject, replacer);
http://www.json.org/js.html
http://api.jquery.com/jQuery.parseJSON/
Although my English is not good, but I see it is the issue of json in php, you can use json_decode do, can be transformed into an array
Another possibility you have is to url-encode with encodeURIComponent() in javascript your json object and urldecode() in php the received object.
Be aware that encodeURIComponent() in js is not exactly the same as urlencode() in php and similarly decodeURIComponent() is not the same as urldecode(), but in most cases encoding in js and decoding in php and vice-versa works well.
I have an HTML form POSTing to a PHP page.
I can read in the data using the $_POST variable on the PHP.
However, all the data seems to be escaped.
So, for example
a comma (,) = %2C
a colon (:) = %3a
a slash (/) = %2
so things like a simple URL of such as http://example.com get POSTed as http%3A%2F%2Fexample.com
Any ideas as to what is happening?
Actually you want urldecode. %xx is an URL encoding, not a html encoding. The real question is why are you getting these codes. PHP usually decodes the URL for you as it parses the request into the $_GET and $_REQUEST variables. POSTed forms should not be urlencoded. Can you show us some of the code generating the form? Maybe your form is being encoded on the way out for some reason.
See the warning on this page: http://us2.php.net/manual/en/function.urldecode.php
Here is a simple PHP loop to decode all POST vars
foreach($_POST as $key=>$value) {
$_POST[$key] = urldecode($value);
}
You can then access them as per normal, but properly decoded. I, however, would use a different array to store them, as I don't like to pollute the super globals (I believe they should always have the exact data in them as by PHP).
This shouldn't be happening, and though you can fix it by manually urldecode()ing, you will probably be hiding a basic bug elsewhere that might come round to bite you later.
Although when you POST a form using the default content-type ‘application/x-www-form-encoded’, the values inside it are URL-encoded (%xx), PHP undoes that for you when it makes values available in the $_POST[] array.
If you are still getting unwanted %xx sequences afterwards, there must be another layer of manual URL-encoding going on that shouldn't be there. You need to find where that is. If it's a hidden field, maybe the page that generates it is accidentally encoding it using urlencode() instead of htmlspecialchars(), or something? Putting some example code online might help us find out.