I have a website in which I have a several php forms that I would like to fill out with auto generated content (for the purposes of exercising different content the user could submit). I would like to write a client side application that enables me to do so.
Is there any way either using webtoolkit, java script etc of doing this?
If you are already familiar with php, why not use php on the "client side" as well? You can use the Client URL package to submit POST data to a web form. Example:
<?php
$ch = curl_init();
$data = array('name' => 'phpnoob', 'address' => 'somewhere');
curl_setopt($ch, CURLOPT_URL, 'http://localhost/url/to/your/php/form.php'); // use the URL that shows up in your <form action="...url..."> tag
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
curl_exec($ch);
?>
It would probably be better, more stable and more efficient to mock a submission by sending data directly into your application. PHPUnit is a great framework for unit testing PHP applications.
But yes, it would be possible to write a client side submission too. You could also write Selenium tests, which use JavaScript to interact with your page.
if you name your form using the id attribute, you can call the javascript function
document.myform.submit();
where myform is the name of that form.
You could have an onload event attached to the body element which would submit the forms automatically.
<body onload="document.form1.submit();document.form2.submit();">
<form id="form1" action="url" method="post">
</form>
<form id="form2" action="url" method="post">
</form>
</body>
Of course this would be completed better using jQuery or another API.
IF you are php programmer then you might not want any javascript answer. the best solution to this is
1.USE A PROXY like paros or HTTP analyser they will give u the insight how site's form is structued
2.notE down the forms POST OR GET VALUE and their SYNTAX FROM THE HTTP analyzer or paros proxy.
read this tutorial it is the best tutorial out there
http://www.html-form-guide.com/php-form/php-form-submit.html
4.change the content of $_post or $_get according to their structure which you have noted down in
paros or HTTP analyser
Related
Below is my code using curl and it's not really redirect like HTML form :
$curl = new \Curl\Curl();
$curl->setHeader('Content-Type', 'application/x-www-form-urlencoded');
$curl->setOpt(CURLOPT_FOLLOWLOCATION,true);
$curl->setOpt(CURLOPT_POST,true);
$curl->setOpt(CURLOPT_RETURNTRANSFER,true);
$curl->post('http://localpay.sample.test/make-payment',$params);
Hi guys,above are the sample code that I made using php package : curl/curl ,
but don't worry,I'm looking forward for any answer,answer using pure curl also can and any other answer also can as long it's working with php language.
What I'm trying to achieve is how to do an API call works exactly the same like HTML form. Why I want to achieve this ? because in the HTML form we need to click the submit button,I know javascript can do the trigger but I'm trying to build my own package with totally back-end language.
I already tried search for the questions on the internet, but none was what I expected.
And below is my simple html form and it does redirect to the desired url :
<form id="payment_confirmation" action="http://localpay.sample.test/make-payment" method="post"/>
Payer ID : <input type="text" name="payer_acc_id"><br>
Payee ID : <input type="text" name="payer_acc_id"><br>
<input type="hidden" name="signature" value="somePhpFunction()">
<button type="submit" value="Submit"> Submit</button>
</form>
Above is the sample working HTML form and it's redirect to that action url path but in curl I fail to achieve it, so how do I achieve this by using curl or any other ways also can.
setting the Content-Type header does not dictate which format curl will use to send the post data. if you give CURLOPT_POSTFIELDS an array then curl will send the data using the multipart/form-data format, regardless of what you put in the Content-Type header. most likely your curl code sends the data in the Multipart/form-data format and $params is an array, and because you tell the server this is application/x-www-form-urlencoded, the server ties to parse the multipart/form-data data as application/x-www-form-urlencoded,
(which is a completely incompatible format), and doesn't understand the data at all. if you want to convert an array of post data to the application/x-www-form-urlencoded-format, use the http_build_query function, eg
$curl->post('http://localpay.sample.test/make-payment',http_build_query($params));
I found the answer for POST redirect using curl :
$params = ['payee_id' => 1 , 'amount' => 300];
$curl = curl_init('http://someurl.com/silent/pay');
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($curl, CURLOPT_CUSTOMREQUEST, "POST");
curl_setopt($curl, CURLOPT_POSTFIELDS, json_encode($params));
curl_exec($curl);
curl will follow the redirect for POST method, if you guys want more explanation,go here.
I'm all in a security funk right now so I'm going through making everything as secure as possible. I got a login going and I'm referencing this:
http://www.addedbytes.com/writing-secure-php/writing-secure-php-1/
The first example is that of a login and if you say ?authorization=1 you get in. But if I wrap my code around a if($_POST) then the user MUST make a post. Can a user fake a $_POST? How do I go about faking a $_POST?
A user can simply create a file on their local machine with:
<form action="http://yoursite.com/login.php" method="post">
<input type="text" name="username" value="hahaha faked it!" />
<input type="text" name="password" value="hee hee you can't tell this is fake" />
<input type="submit">
</form>
and boom, "fake" post. In other words, you have to assume that anything and everything the user sends is potentially fake.
Two ways, make a curl request, or actually set the post variable on top of the php. E.g:
$_POST['var'] = "WHAT I WANT";
Yes they can.
With cURL and other HTTP clients, anybody can fake this.
Watch this
<form method="post" action="http://yoursite/index.php">
<input type="text" name="authorization" value="1" /><input type="submit">
</form>
Then user saves this as .html in their computer, opens in theirbrowser. Then posts the form.
You can use cURL in PHP to POST like so:
$ch = curl_init();
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
curl_setopt($ch,CURLOPT_POST, 1);
curl_exec($ch);
curl_close($ch);
The $_POST superglobal variable is populated from the query string that's contained in the body of an HTTP POST request. Since the user/client is the one who initiates the HTTP (POST & others) requests to the HTTP server, then yes - the client can "fake" a $_POST array's values & keys.
Refer:
POST (HTTP) # wikipedia.org
Methods GET and POST in HTML forms - what's the difference?
Tamper Data - Firefox add-on # addons.mozilla.org
In whatever page where the HTML is. Do this very first thing.
<?php
session_start();
/** Generate some random numbers */
$wipit = rand(0,999999999);
/** Store the WIPIT Generators value in the SESSSION */
$_SESSION["WIPIT"] = $wipit;
?>
And do this in whatever page you are doing the POSTING validation and other things.
<?php
session_start();
/** Check for the REQUEST TYPE and SESSION WIPIT */
if( isset( $_SERVER['REQUEST_METHOD']) == "POST" and isset($_SESSION["WIPIT"]) and !empty($_SESSION["WIPIT"]) ){
/* Rest of your code goes here... */
}
?>
...yes a user can "fake" a post (whatever that means). Try tamper data on for size.
If your website has the problem of not escaping all text properly, it is an XSS weakness that can be exploited by a third party by injecting a (javascript-)script into the page which can use AJAX to send post requests with the users cookies and authority, with the least worst effect being that it could for example log out the user.
I have a html form with action="script1.php"
In script1 I need write all data to the database and redirect to
script2.php, but I need all parameters posted to script1 to be sent to script2.
mod_rewrite is on
How I can redirect using PHP with all data come through POST ?
if i do like that this disgusting practice but
<SCRIPT LANGUAGE="JavaScript" TYPE="text/javascript">
<!--
function Search(){
wpc_form.submit();
}
// -->
</script>
</HEAD>
<BODY onload='Search()'>
<form name=wpc_form method="post" action="/script2/">
<?php
foreach($_REQUEST as $name => $value)
echo '<input type="hidden" name="'.$name.'" value="'.$value.'">'
?>
</form>
Impossible.
But you don't need it. Because you have all this data already. Just read it from the database in script2.php
A redirect doesn't allow you to do this unless you have custom client-side code running in the browser to extract state from the response message body in order to populate your form fields. This is advanced usage and probably not what you really want to do.
If you really do need to transmit state between your forms then you can use the session to do this. The form in the browser won't have access to the data, but your PHP script running on the server can store values between requests. Here's a link to a tutorial on sessions in PHP which might be of use to you. This approach is often used for maintaining application state between requests and redirects to third-party services such as OpenID providers etc.
You can use the cURL library (or similar) to send a separate POST request from your local script to the external service.
// assemble data from your post here:
$data = array('formfield' => 'data', 'otherfield' => 'otherdata');
// and then send it off somewhere else
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, 'http://somewhere.else');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
curl_exec($ch);
I have a form on my site which sends data to some remote site - simple html form.
What I want to do is to use data user enters into form for statistical purposes.
So I instead of sending data to the remote page I send it first to my script which resends it the remote site.
The thing is I need it to behave in exact way the usual form would behave taking user to the remote site and displaying resources.
When I use this code it kinda works but not in the way I want it to:
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $action);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $fields);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
$result = curl_exec($ch);
curl_close($ch);
Problem is that it displays response in the same script. For example if $action is for example:
somesite.com/processform.php and my script name is mysqcript.php it would display the response of "somesite.com/processform.php" inside "mysqcript.php" so all the relative links are not working.
How do I make it to send the user to "somesite.com/processform.php"? Same thing that pressing the button would do?
Leonti
I think you will have to do this on your end, as translating relative paths is the client's job. It should be simple: Just take the base directory of the request you made
http://otherdomain.com/my/request/path.php
and add it in front of every outgoing link that does not begin with "/" or a protocol ("http://", "ftp://").
Detecting all the outgoing links is hard, but I am 100% sure there are ready-made PHP classes that do that. Check for example this article and the getLinks() function in the user comments. I am not 100% sure whether this is what you need but it certainly goes to the right direction.
Here are a couple of possible solutions, which I post separately so they don't get mixed up with the one I recommend:
1 - keep using cURL, parse the response and add a <base/> tag to it. It should work for pretty much everything on that page.
<base href="http://realsite.com/form_url.php" />
2 - do not alter the submit URL. Submit the form to the real URL, but capture its content using some Javascript library (YUI does that) and send it to your script via XHR. It's still kind of hacky though.
There are several ways to do that. Here's one of the easiest: just use a 307 redirect.
header('Location: http://realsite.com/form_url.php', true, 307');
You can do your logging and stuff either before or after header() but if you do it after calling header() you will need to start your script with
ignore_user_abort(true);
Note that browsers are supposed to notify the user that their form is being redirected.
I want to POST an URL using CURL and php.
There is a big form on webpage and I don't want to manually copy all the variables and put it in my POST request.
I am guessing there has to be a way to serialize the form automatically (using DOM or something) and then just change whatever values I need.
I could not google my way out of this one so I was wondering would anyone be kind enough to help.
So, is there anyway to automatically serialize a form which is buried in a bunch of html content I just pulled from a URL?
Thanks for any help,
Andrew
$http = new HttpQueryString();
$http->set($_POST);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS,$http->get());
Requires PECL pecl_http >= 0.22.0
Its not to clear to me if you are asking how to get the form in the browser to the server or how to place the posted form in the curl request.
From php, assuming the form posted over, it would be as simple as:
curl_setopt($handle, CURLOPT_POSTFIELDS, $_POST);
though no data is validated that way.
From the web side, not sure why you would serialize the form using the DOM/Javascript, as opposed to just submitting it via a normal post?
Not sure what the question really is, but you're either wanting to do something like this:
$fields_string = http_build_query($data_to_send);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS,$fields_string);
or you need to look into this:
$html = file_get_html('http://www.thesite.com/thepage.html');
foreach($html->find('input') as $element)
echo $element->name . '<br>';
I don't understand the question. It sounds like you want to screen-scrape a form, fill it in, and then POST it back to the page you got it from. Is that right?
Edit in response to comment:
I'd recommend scraping the CURL'd HTML with a tool like Simple HTML DOM (that's what I use for scraping with PHP). The documentation for your library of choice will help you figure out how to identify the form fields. After that, you'll want to curl the form's action page, with the CURL_POST_FIELDS attribute set to the values you want to pass to the form, urlencode()'d of course.