How is it possible for client browser data to be saved in an array in PHP?
PHP runs on the server side, so I don't understand how it has access to information about the client's browser.
User agent data is usually sent with every HTTP requests, in the User-Agent HTTP header field. You might want to read up on HTTP message formats in general. For example, this is part of the HTTP request that my browser sent to load jQuery on this very page:
GET http://ajax.googleapis.com/ajax/libs/jquery/1.5.2/jquery.min.js HTTP/1.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Connection: keep-alive
If-Modified-Since: Fri, 01 Apr 2011 21:23:55 GMT
Accept-Charset: UTF-8,*;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
PHP reads the client browser data that you're asking about from the User-Agent header field.
The client sends data to the server which the server uses to build the array (I'm assuming you're talking about $_GET, $_POST, $_SERVER, etc.)
You will find it here
$_SERVER['HTTP_USER_AGENT']
You may need to parse this by regex to get the browser name and version separately.
$_REQUEST
An associative array that by default contains the contents of $_GET, $_POST and $_COOKIE.
The data is submited by the browser when a new page is requested, PHP just puts it into an array for your convenience.
You should start by reading a bit about HTTP (GET and POST to begin with), and HTTP headers.
Related
If a logged in user navigates to a certain area of the site which is to use WebSockets, How can I grab that session Id so I can identify him on the server?
My server is basically an endless while loop which holds information about all connected users and stuff, so in order to grab that id I figured the only suitable moment is at the handshake, but unfortunately the handshake's request headers contain no cookie data:
Request Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.5
Cache-Control: no-cache
Connection: keep-alive, Upgrade
DNT: 1
Host: 192.168.1.2:9300
Origin: http://localhost
Pragma: no-cache
Sec-WebSocket-Key: 5C7zarsxeh1kdcAIdjQezg==
Sec-WebSocket-Version: 13
Upgrade: websocket
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
rv:27.0) Gecko/20100101 Firefox/27.0
So how can I really grab that id? I thought I could somehow force javascript to send cookie data along with that request but any self-respecting website in 2014 will have httpOnly session cookies so that wont work out. Any help is greatly appreciated!
Here's a link for the server I'm using: https://github.com/Flynsarmy/PHPWebSocket-Chat/blob/master/class.PHPWebSocket.php (thanks to accepted answer)
http only cookies as well as secure cookies work fine with websocket.
Some websocket modules have chosen to ignore cookies in the request, so you need to read the specs of the module.
Try: websocket node: https://github.com/Worlize/WebSocket-Node.
Make sure to use the secure websocket protocol as wss://xyz.com
Update:
Also, chrome will not show the cookies in the "inspect element" Network tab.
In node try dumping the request, something like:
wsServer.on('request', function(request) {
console.log(request);
console.log(request.cookies); // works in websocket node
}
If you see the cookies somewhere in the log...you've got it.
If you're using secure-only cookies, you need to be in secure web sockets: wss://
Update2:
The cookies are passed in the initial request. Chrome does not show it (all the time) as sometimes it shows provisional headers which omits cookie information.
It is up to the websocket server to do 'something' with the cookies and attach them to each request.
Looking at the code of your server: https://github.com/Flynsarmy/PHPWebSocket-Chat/blob/master/class.PHPWebSocket.php I do not see the word "cookie" anywhere, so it is not being nicely packaged and attached to each websocket connection. I could be wrong, that's why you might want to contact the developer and see if the whole header is being attached to each connection and how to access it.
This I can say for certain: If you're using secure cookies then cookies will not be transmitted unless you use the secure websocket wss://mysite.com. Plain ws://mysite.com will not work.
Also, cookies will only be transmitted in the request if the domain is the same as the webpage.
I'm working through a security assessment report on a php app generated by Accunetix.
The report is claiming a SQL Injection vulnerability. The app is PHP with MySQL. Here's the headers it says are making the attack (specifically the accept-language header):
GET /user_login.php HTTP/1.1
user-agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
accept-language: 1;select pg_sleep(1); --
X-Requested-With: XMLHttpRequest
Cookie: PHPSESSID=35kno6h8kmkbin973q02gojp82; uniqueuser=1382404387
Host: xxx.xxx.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
I haven't found "accept-language" or "accept_language" anywhere in the app. Also, pg_sleep() isn't a MySQL function.
I searched for a known vulnerability in PHP and didn't find anything. Is this a false positive, or am I missing something?
Accept-Language is the request header sent by client's browser.
Accunetix were trying to manipulate these headers by injecting malicious code to find security wholes (imitating hackers) to test if you application is vulnerable to them.
If you haven't used accept-language header, or request headers in your DB queries, then probably it is a false positive. To make sure, see the response of that request, if the response is normal, then it is all OK.
The code will probably treat that header as a source for selecting the language, an that is done via a database query. And when generating the query, the contents of the HTTP header are improperly parsed.
The reason for you not seeing this might be because the fetching of the HTTP headers is done indirectly (like in $_SERVER[$language_header]).
I haven't understand data transfer to the server completely. Which ways do I have? When I started learning PHP, I thought there are two ways called GET which encrypts data in the URL and POST which sends data in another way to the server. I didn't know where exactly, though.
Now I want to learn about RESTful server backends, and I learned that GET and POST are just request methods, among others like PUT and DELETE, which doesn't seem to have anything to do with how data is transferred to the server.
Moreover, I read that additional data can be sent in the HTTP header. Is this how POST actually sends its data or is there even a difference?
I would like to either read POST data regardless of the request method using PHP's $_POST array, but this doesn't work. On the other hand, when I try to manually parse the header information from php://input, I cannot see POST data. Could someone please explain to me where data is transferred in the different cases?
My goal is to get parameters from the client regardless of content type, which may be form-data, json or something other, and request method. How can I do this in PHP? Requests will be sent using JQuery's AJAX functionality.
To explain how does http work using nc
http://linux.die.net/man/1/nc
GET
$ nc -l 8888 to start a dummy server listen at 8888
send a GET request using jQuery (impl via XHR)
$.get("http://localhost:8888", { a :1 ,b: 2})
nc would print what XHR sent to server to stdout
$nc -l 8888
GET /?a=1&b=2&_=1383234919249 HTTP/1.1
Host: localhost:8888
Connection: keep-alive
Accept: */*
Origin: http://stackoverflow.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36
DNT: 1
Referer: http://stackoverflow.com/questions/19710815/understanding-how-xmlhttprequest-sends-data-to-a-server
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8,zh-CN;q=0.6,zh;q=0.4
thus, PHP parse GET /?a=1&b=2&_=1383234919249 into $_GET
POST
using nc to recording POST
POST / HTTP/1.1
Host: localhost:8888
Connection: keep-alive
Content-Length: 7
Accept: */*
Origin: http://stackoverflow.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36
Content-Type: application/x-www-form-urlencoded
DNT: 1
Referer: http://stackoverflow.com/questions/19710815/understanding-how-xmlhttprequest-sends-data-to-a-server
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8,zh-CN;q=0.6,zh;q=0.4
a=1&b=2
here you can see Content-Type: application/x-www-form-urlencoded
,which tell the http body sent by browser is form encoded
as a result, PHP parse a=1&b=2 in to array $_POST
WHY php://input can't see POST BODY
according to http://php.net/manual/en/wrappers.php.php
php://input is a stream and can be read only once
below is from php doc
Note: A stream opened with php://input can only be read once; the
stream does not support seek operations. However, depending on the
SAPI implementation, it may be possible to open another php://input
stream and restart reading. This is only possible if the request body
data has been saved. Typically, this is the case for POST requests,
but not other request methods, such as PUT or PROPFIND.
I am looking to put together a website that displays the full HTTP Request Headers and HTTP Response Headers for the loading of the page itself. For instance. If someone browses to http://example.com/index.php , I want the following to display:
HTTP Request
GET /index.php HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.16) Gecko/20110319 Firefox/3.6.16
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
HTTP Response
HTTP/1.1 200 OK
Date: Mon, 21 Dec 2011 10:20:46 GMT
Server: Apache/2.2.15 (Red Hat)
X-Powered-By: PHP/5.3.3
Content-Length: 1169
Connection: close
Content-Type: text/html; charset=UTF-8
We were able to get the Request header to display fairly simply using the following PHP code:
print $_SERVER['REQUEST_METHOD']." ".$_SERVER['REQUEST_URI']." ".$_SERVER['SERVER_PROTOCOL']."<br>";
foreach (apache_request_headers() as $name => $value)
echo "$name: $value<br>";
But are having some difficulties with the HTTP Response header. Anyone have any ideas of how we can do this? It does not have to be PHP if you have a method that works in Perle or CGI or whatever.
To be clear, I don't mean to set the HTTP Response to anything specific, only display the response served by the web server to load the page.
You want to use headers_list()
http://www.php.net/manual/en/function.headers-list.php
headers_list() will return a list of headers to be sent to the browser / client. To determine whether or not these headers have been sent yet, use headers_sent().
Well here is the issue, the response header is generated after the PHP (or any server-side language for that matter) has already completed its job.
To put it in english its like the post man handing you a letter and you asking him to explain how the process of handing you the letter went. He will probably just look at you dumb.
You will need a client-side language (ie. JavaScript) to perform this task.
Use PHP to get the headers sent to the web Server.
http://www.php.net/manual/en/function.apache-request-headers.php
Use JavaScript to get headers sent by the web server. I would suggest using jQuery for that.
http://api.jquery.com/jQuery.ajax/#jqXHR
This way you are sure that you get all the headers which are either received by the web server or the browser.
Check out get_headers in PHP Manual
This is a two part question.
Q1: Can cURL based request 100% imitate a browser based request?
Q2: If yes, what all options should be set. If not what extra does the browser do that cannot bee imitated by cURL?
I have a website and I see thousands of request being made from a single IP in a very short time. These requests harvest all my data. When looked at the log to identify the agent used, it looks like a request from browser. So was curious to know if its a bot and not a user.
Thanks in advance
This page has all the answers to your questions. You can imitate the things mostly.
R1 : I suppose, if you set all the correct headers, that, yes, a curl-based request can imitate a browser-based one : after all, both send an HTTP request, which is just a couple of lines of text following a specific convention (namely, the HTTP RFC)
R2 : The best way to answer that question is to take a look at what your browser is sending ; with Firefox, for instance, you can use either Firebug or LiveHTTPHeaders to get that.
For instance, to get this page, Firefox sent those request headers :
GET /questions/1926876/can-a-curl-based-http-request-imitate-a-browser-based-request-completely HTTP/1.1
Host: stackoverflow.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2b4) Gecko/20091124 Firefox/3.6b4
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://stackoverflow.com/questions/1926876/can-a-curl-based-http-request-imitate-a-browser-based-request-completely/1926889
Cookie: .......
Cache-Control: max-age=0
(I Just removed a couple of informations -- but you get the idea ;-) )
Using curl, you can work with curl_setopt to set the HTTP headers ; here, you'd probably have to use a combination of CURLOPT_HTTPHEADER, CURLOPT_COOKIE, CURLOPT_USERAGENT, ...