I have been searching for a way, to specify the cookie data for CURL. I have found some solutions on how to save the cookies from a visited page, but that's not what I need. What I want is, to write the data for the cookie myself, so CURL uses it.
You can use curl_setopt with the CURLOPT_COOKIE constant:
<?php
// create a new cURL resource
$ch = curl_init();
// cookies to be sent
curl_setopt($ch, CURLOPT_COOKIE, "fruit=apple; colour=red");
You really should read the documentation - it's listed with exactly the keywords you'd expect and contains a lot of helpful info:
-b, --cookie
(HTTP) Pass the data to the HTTP server as a cookie. It is supposedly
the data previously received from the server in a "Set-Cookie:" line.
The data should be in the format "NAME1=VALUE1; NAME2=VALUE2".
If no '=' symbol is used in the line, it is treated as a filename to
use to read previously stored cookie lines from, which should be used
in this session if they match. Using this method also activates the
"cookie parser" which will make curl record incoming cookies too,
which may be handy if you're using this in combination with the -L,
--location option. The file format of the file to read cookies from should be plain HTTP headers or the Netscape/Mozilla cookie file
format.
NOTE that the file specified with -b, --cookie is only used as input.
No cookies will be stored in the file. To store cookies, use the -c,
--cookie-jar option or you could even save the HTTP headers to a file using -D, --dump-header!
If this option is set more than once, the last one will be the one
that's used.
cURL can use a cookie file in Netscape format. Just create such a file yourself and use as the CURLOPT_COOKIEFILE option.
Related
So our website unfortunately got hacked.
They created a file in our wp-admin directory called wp-update.php containing this code:
<?php #eval($_SERVER['HTTP_4CD44849DA572F7C']); ?>
My question is how can the hacker pass in his script using $_SERVER?
Yes a hacker can send data into $_SERVER, it contains HTTP headers (cf. the documentation) with a simple curl command you can inject data.
curl -H '4CD44849DA572F7C: echo "hello from server";' http://example.com
Properties of the $_SERVER superglobal with names starting with HTTP_ are just representations of the HTTP request headers.
Since request headers are completely under the control of whoever is making the request, it is trivial to insert data there.
Any HTTP client will let the attacker specify whatever headers they like. An example in cURL's command line client would look like:
curl -H "4CD44849DA572F7C: code goes here" http://example.com/your-hacked.php
How can I send the filename to an apache server if I'm using curl with
curl_setopt($ch, CURLOPT_PUT, 1);
One solution was to send the filename using the URL.
- there are several problem with this
- the biggest problem is the url can be invalid containing white spaces for example so I can't validate in anyway the filename
Link
CURLOPT_PUT (boolean) If true, sets
the cURL session to perform an HTTP
PUT operation. Information about the
file to be sent is set with
CURLOPT_INFILE and CURLOPT_INFILESIZE.
And if you mean the resulting filename on the server, that would be
CURLOPT_URL (string) Sets the URL of
the remote resource to which to
connect. Overrides any value given
directly to curl_init() .
You have to configure apache to handle PUT Requests.
I'm using CURLOPT_COOKIEJAR to store cookies to a file and CURLOPT_COOKIEFILE to retrieve them from the file.
What I'm wonder is what happens when multiple users are accessing the script at the same time - won't it mess up the contents of the cookie file? Also, how do I manage the cookie files so that it's possible to have multiple users at the same time?
CURLOPT_COOKIEJAR and CURLOPT_COOKIEFILE are just utilities for handling cookies in a file, like a web browser.
And it's not recommended for your case.
But you can play directly with http headers to set and retrieve cookies.
For setting you cookies
<?php
curl_setopt($ch, CURLOPT_COOKIE, 'user=xxxxxxxx-xxxxxxxx');
?>
For retrieving cookies, just identify the headers that startswith Set-Cookie:
You can check this document for understanding how cookie headers works http://curl.haxx.se/rfc/cookie_spec.html
Usage example, quick and dirty, but definitely not standard.
With this headers
<?php
$header_blob = '
Set-Cookie: PART_NUMBER=ROCKET_LAUNCHER_0001; path=/
Set-Cookie: PART_NUMBER=RIDING_ROCKET_0023; path=/ammo
';
Extract cookie headers
$cookies = array();
if (preg_match_all('/Set-Cookie:\s*(?P<cookies>.+?);/i', $header_blob, $matches)) {
foreach ($matches['cookies'] as $cookie) {
$cookies[] = $cookie;
}
$cookies = array_unique($cookies);
}
var_dump($cookies);
Resend cookies
$cookie_blob = implode('; ', $cookies);
var_dump($cookie_blob);
You'll need to specify a different file for each execution of the script, otherwise you'll have issues with the file being overwritten, etc. as you suggest.
You might want to have a look at the tempnam (example below) as a means of generating the unique file, or simply use uniqid, etc. and create the file yourself.
<?php
session_start();
$cookieFilePath = $_SESSION['cookiefilepath']
? $_SESSION['cookiefilepath']
: tempnam(sys_get_temp_dir(), session_id().'_cookie_');
$_SESSION['cookiefilepath'] = $cookieFilePath;
...
curl_setopt($curlSession, CURLOPT_COOKIEFILE, $cookieFilePath);
...
?>
That said, you'll need to ensure that you remove these files once they're no longer required. (If this isn't within the lifetime of your script, you might want to periodically execute a tidy-up script via cron that uses filemtime or similar.)
Incidentally, you can simply provide a full path to the file you want to use - it doesn't have to be in the same directory that the script is in, despite what is said in the existing Can someone explain CURL cookie handling (PHP)? question.
Multiple requests will overwrite the same file (but will probably also slow all other requests execution down due to file locking).
You could incorporate the session_id() into the cookie file name so you'll have one cookie file for every client session. I'd also recommend storing the files in something like sys_get_temp_dir().
something like:
$cookieFile = sys_get_temp_dir().PATH_SEPARATOR.session_id().'-cookies.txt';
Should work fine for that.
I'm not sure if I'm asking this properly.
I have two PHP pages located on the same server. The first PHP page sets a cookie with an expiration and the second one checks to see if that cookie was set. if it is set, it returns "on". If it isn't set, it returns "off".
If I just run the pages like
"www.example.com/set_cookie.php"
AND
"www.example.com/is_cookie_set.php"
I get an "on" from is_cookie_set.php.
Heres the problem, on the set_cookie.php file I have a function called is_set. This function executes the following cURL and returns the contents ("on" or "off"). Unfortunately, the contents are always returned as "off". however, if I check the file manually ("www.example.com/is_cookie_set.php") I can see that the cookie was set.
Heres the function :
<?php
function is_set()
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, 'http://example.com/is_cookie_set.php');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$contents = curl_exec ($ch);
curl_close ($ch);
echo $contents;
}
?>
Please note, I'm not using cURL to GET or SET cookies, only to check a page that checks if the cookie was set.
I've looked into CURLOPT_COOKIEJAR, and CURLOPT_COOKIEFILE, but I believe those are for setting cookies via cURL and I don't want to do this.
I believe you are making a confusion. When you are using curl, PHP will go to the trouble of acting like a client (like a browser maybe), and make that request for you. That is, the cookies that curl checks for have nothing to do with the cookies in your current browser. I think.
I'm not entirely sure what you are trying to do here but you are aware, as nc3b already states, that in your is_set() function, it's PHP acting as the client and not your browser, right? That means that your cookie test will always fail (= return with no cookies).
Cookies are stored by the client and sent along with every request to the server.
If you want to find out in PHP whether a cookie has been set - of course, you need to be on the same domain as the cookie for that - you can use plain if (isset($_COOKIE["cookiename"])).
Maybe you are trying to build a solution to query for a cookie on a remote host. For that, see this SO question:
Cross domain cookies
Curl acts like your browser as a http client.
If configured they both recceive and store cookies, but they are in no way related.
Curl doesn't use the browser cookies. If you want to use your browser cookies, you have to use the --cookie option switch. See the manpage for details: http://curl.haxx.se/docs/manpage.html
For example Firefox stores them in a file called cookies.txt.
Under linux its located under ~/.mozilla/firefox/$profilefolder/cookies.txt
Hint: If you use Firefox >= 3.0 the cookies are stored in a sqlite database. If you want to use them with curl, you have to extract a cookies.txt file by yourself.
Here are some examples how to do that:
http://roshan.info/blog/2010/03/14/using-firefox-30-cookies-with-wgetcurl/
http://slacy.com/blog/2010/02/using-cookies-sqlite-in-wget-or-curl/
sqlite3 -separator $'\t' cookies.sqlite \
'select host, "TRUE", path, case isSecure when 0 then "FALSE" else "TRUE" end, expiry, name, value from moz_cookies' > cookies.txt
Is it possible to 'translate' headers from this firefox extension into server side script?
edit:
I'm trying to SEND headers, not retrieve them. I performed some actions in browser and i want them to be automatically repeated (with few changes) by server-side script.
You can use PHP's header() function to send headers to the user's browser.
If you're making HTTP requests to other sites from your server, use cURL's curl_setopt function to set the CURLOPT_HTTPHEADER option - you can provide an array of headers to pass along with your request.
Consider print_r(apache_request_headers());
PHP Manual: apache_request_headers()
Here is an example and its source code.
Use the cURL functions for your request and use curl_setopt:
curl_setopt(CURLOPT_HTTPHEADER, array('Referer: http://www.example.com/'));