POST without POSTing

I'm sure this has been covered before, but I'm not even sure how to
search in the archives for it.

I have a form that collects certain info via POST. It is re-entrant, so
when the user hits the "submit" button, it checks the input and does
whatever sanity checks it needs to. If all is okay, it must now pass
some of that info to another URL (offsite) via POST. Normally, the
information would be passed via a series of GET variables or SESSION
variables. But in this case the site the user is being directed to must
receive the information via POST.

I'm not sure how to do this. Please no exotic external libraries my
shared hosting provider doesn't include. RTFM will be fine; just tell me
which Fine Manual to Read.

Paul

--
Paul M. Foster

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: POST without POSTing

On Wed, Sep 30, 2009 at 23:29, Paul M Foster wrote:
>
> I'm not sure how to do this. Please no exotic external libraries my
> shared hosting provider doesn't include. RTFM will be fine; just tell me
> which Fine Manual to Read.

Nothing too exotic at all, Paul. Check out cURL:

http://php.net/curl

--

daniel.brown@parasane.net || danbrown@php.net
http://www.parasane.net/ || http://www.pilotpig.net/
Check out our great hosting and dedicated server deals at
http://twitter.com/pilotpig

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: POST without POSTing

On Wed, Sep 30, 2009 at 11:36:55PM -0400, Daniel Brown wrote:

> On Wed, Sep 30, 2009 at 23:29, Paul M Foster wrote:
> >
> > I'm not sure how to do this. Please no exotic external libraries my
> > shared hosting provider doesn't include. RTFM will be fine; just tell me
> > which Fine Manual to Read.
>
> Nothing too exotic at all, Paul. Check out cURL:
>
> http://php.net/curl

I was afraid you were going to say that, and I wasn't sure cURL was
supported on that server. But I just loaded phpinfo on that server, and
it is supported.

However, assuming it *wasn't*, I've found the following example from a
google search (thank goodness for google's "hinting" or I couldn't have
found it):

$fp = fsockopen("www.site.com", 80);
fputs($fp, "POST /script.php HTTP/1.0
Host: www.site.com
Content-Length: 7

q=proxy");

I don't know much about doing things this way. It appears that when done
this way, the "body" must be separated by a newline, just like email.
And it appears that the content-length of 7 indicates the length of the
"q=proxy" string. Assuming I piled on a few other passed variables the
same way as "q", separated by newlines (and adjusted the Content-Length
accordingly), would the above work? Are there liabilities to doing it
this way?

Paul

--
Paul M. Foster

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: POST without POSTing

On Thu, Oct 1, 2009 at 00:16, Paul M Foster wrote:
>
> However, assuming it *wasn't*, I've found the following example from a
> google search (thank goodness for google's "hinting" or I couldn't have
> found it):
>
> $fp = fsockopen("www.site.com", 80);
> fputs($fp, "POST /script.php HTTP/1.0
> Host: www.site.com
> Content-Length: 7
>
> q=proxy");
>
> I don't know much about doing things this way. It appears that when done
> this way, the "body" must be separated by a newline, just like email.
> And it appears that the content-length of 7 indicates the length of the
> "q=proxy" string. Assuming I piled on a few other passed variables the
> same way as "q", separated by newlines (and adjusted the Content-Length
> accordingly), would the above work? Are there liabilities to doing it
> this way?

Yes. Hosts are more likely to have cURL installed and available
than fsockopen() or URL-based fopen() calls, so portability is greater
with cURL. It's also a bit faster. Still, as you know, there's
always more than one way to skin a cute, furry, delicious little
kitten.

--

daniel.brown@parasane.net || danbrown@php.net
http://www.parasane.net/ || http://www.pilotpig.net/
Check out our great hosting and dedicated server deals at
http://twitter.com/pilotpig

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: POST without POSTing

On Thu, 1 Oct 2009 00:16:27 -0400
Paul M Foster wrote:

> On Wed, Sep 30, 2009 at 11:36:55PM -0400, Daniel Brown wrote:
>
> > On Wed, Sep 30, 2009 at 23:29, Paul M Foster
> > wrote:
> > >
> > > I'm not sure how to do this. Please no exotic external libraries
> > > my shared hosting provider doesn't include. RTFM will be fine;
> > > just tell me which Fine Manual to Read.
> >
> > Nothing too exotic at all, Paul. Check out cURL:
> >
> > http://php.net/curl
>
> I was afraid you were going to say that, and I wasn't sure cURL was
> supported on that server. But I just loaded phpinfo on that server,
> and it is supported.
>
> However, assuming it *wasn't*, I've found the following example from a
> google search (thank goodness for google's "hinting" or I couldn't
> have found it):
>
> $fp = fsockopen("www.site.com", 80);
> fputs($fp, "POST /script.php HTTP/1.0
> Host: www.site.com
> Content-Length: 7
>
> q=proxy");
>
> I don't know much about doing things this way. It appears that when
> done this way, the "body" must be separated by a newline, just like
> email. And it appears that the content-length of 7 indicates the
> length of the "q=proxy" string. Assuming I piled on a few other
> passed variables the same way as "q", separated by newlines (and
> adjusted the Content-Length accordingly), would the above work? Are
> there liabilities to doing it this way?
>
> Paul
>

Not separated by newlines; separated by ampersands. But otherwise,
that's just raw HTTP 1.1 protocol. cURL and other tools might look a bit
more complicated at first, but (assuming they're available) they do
shield you from the raw protocol a bit. No real liability to doing it
that way other than it's a bit more work.

http://developers.sun.com/mobility/midp/ttips/HTTPPost/


Regards,

Torben

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: POST without POSTing

On Thu, Oct 01, 2009 at 12:24:41AM -0400, Daniel Brown wrote:

> On Thu, Oct 1, 2009 at 00:16, Paul M Foster wrote:
> >
> > However, assuming it *wasn't*, I've found the following example from a
> > google search (thank goodness for google's "hinting" or I couldn't have
> > found it):
> >
> > $fp = fsockopen("www.site.com", 80);
> > fputs($fp, "POST /script.php HTTP/1.0
> > Host: www.site.com
> > Content-Length: 7
> >
> > q=proxy");
> >
> > I don't know much about doing things this way. It appears that when done
> > this way, the "body" must be separated by a newline, just like email.
> > And it appears that the content-length of 7 indicates the length of the
> > "q=proxy" string. Assuming I piled on a few other passed variables the
> > same way as "q", separated by newlines (and adjusted the Content-Length
> > accordingly), would the above work? Are there liabilities to doing it
> > this way?
>
> Yes. Hosts are more likely to have cURL installed and available
> than fsockopen() or URL-based fopen() calls, so portability is greater
> with cURL. It's also a bit faster. Still, as you know, there's
> always more than one way to skin a cute, furry, delicious little
> kitten.

fsockopen() appears to be part of the standard network functions in PHP,
like the header() function. Do you mean that many hosts support the
function (as part of PHP) but don't support its use with external hosts?
Is there a way to determine this support from looking at phpinfo()?

Paul

--
Paul M. Foster

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: POST without POSTing

On Thu, Oct 1, 2009 at 00:41, Paul M Foster wrote:
>
> fsockopen() appears to be part of the standard network functions in PHP,
> like the header() function. Do you mean that many hosts support the
> function (as part of PHP) but don't support its use with external hosts?
> Is there a way to determine this support from looking at phpinfo()?

fsockopen() is a socket function, as the name suggests. Hosts can
disable the usage of sockets. In fact, check Google and you'll see
several folks complaining of their host having it disabled.

As for fopen(), there's a php.ini value `allow_url_fopen` that a
lot of hosts have set to 'no,' I'm sure with the intent to increase
security.... but when you can still use cURL and exec('wget'), it kind
of defeats the purpose.

--

daniel.brown@parasane.net || danbrown@php.net
http://www.parasane.net/ || http://www.pilotpig.net/
Check out our great hosting and dedicated server deals at
http://twitter.com/pilotpig

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: POST without POSTing

On Thu, 1 Oct 2009 00:24:41 -0400
Daniel Brown wrote:

> On Thu, Oct 1, 2009 at 00:16, Paul M Foster
> wrote:
> >
> > However, assuming it *wasn't*, I've found the following example
> > from a google search (thank goodness for google's "hinting" or I
> > couldn't have found it):
> >
> > $fp = fsockopen("www.site.com", 80);
> > fputs($fp, "POST /script.php HTTP/1.0
> > Host: www.site.com
> > Content-Length: 7
> >
> > q=proxy");
> >
> > I don't know much about doing things this way. It appears that when
> > done this way, the "body" must be separated by a newline, just like
> > email. And it appears that the content-length of 7 indicates the
> > length of the "q=proxy" string. Assuming I piled on a few other
> > passed variables the same way as "q", separated by newlines (and
> > adjusted the Content-Length accordingly), would the above work? Are
> > there liabilities to doing it this way?
>
> Yes. Hosts are more likely to have cURL installed and available
> than fsockopen() or URL-based fopen() calls, so portability is greater
> with cURL. It's also a bit faster. Still, as you know, there's
> always more than one way to skin a cute, furry, delicious little
> kitten.
>

I stand corrected on that point--in that way, yes, it would be a
liability. Happily it's been so long since I've had to use that kind of
host that I don't usually consider that a problem. But yes, if you're
using free or low-end hosting then you might have to contend with that.
Ugly, but true.


Torben

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: POST without POSTing

----- Original Message ----
> From: Daniel Brown
> To: Paul M Foster
> Cc: php-general@lists.php.net
> Sent: Wednesday, September 30, 2009 9:58:18 PM
> Subject: Re: [PHP] POST without POSTing
>
> On Thu, Oct 1, 2009 at 00:41, Paul M Foster wrote:
> >
> > fsockopen() appears to be part of the standard network functions in PHP,
> > like the header() function. Do you mean that many hosts support the
> > function (as part of PHP) but don't support its use with external hosts?
> > Is there a way to determine this support from looking at phpinfo()?
>
> fsockopen() is a socket function, as the name suggests. Hosts can
> disable the usage of sockets. In fact, check Google and you'll see
> several folks complaining of their host having it disabled.

If the service provider uses jails on *BSD, then sockets are definitely disabled for security reasons. They don't want you to hack into other people's jail(s) ;)

>
> As for fopen(), there's a php.ini value `allow_url_fopen` that a
> lot of hosts have set to 'no,' I'm sure with the intent to increase
> security.... but when you can still use cURL and exec('wget'), it kind
> of defeats the purpose.
>
> --
>
> daniel.brown@parasane.net || danbrown@php.net
> http://www.parasane.net/ || http://www.pilotpig.net/
> Check out our great hosting and dedicated server deals at
> http://twitter.com/pilotpig
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: POST without POSTing

--=_alternative 005926EC87257642_=
Content-Type: text/plain; charset="US-ASCII"

Paul M Foster wrote on 09/30/2009 09:29:17 PM:

> [PHP] POST without POSTing
>
> Paul M Foster
>
> to:
>
> php-general
>
> 09/30/2009 09:31 PM
>
> I have a form that collects certain info via POST. It is re-entrant, so
> when the user hits the "submit" button, it checks the input and does
> whatever sanity checks it needs to. If all is okay, it must now pass
> some of that info to another URL (offsite) via POST. Normally, the
> information would be passed via a series of GET variables or SESSION
> variables. But in this case the site the user is being directed to must
> receive the information via POST.

Google "posttohost rasmus". It's a classic from the Master at the turn of
the century ;)

Kirk
--=_alternative 005926EC87257642_=--

Re: POST without POSTing

On Wed, Sep 30, 2009 at 11:36:55PM -0400, Daniel Brown wrote:

> On Wed, Sep 30, 2009 at 23:29, Paul M Foster wrote:
> >
> > I'm not sure how to do this. Please no exotic external libraries my
> > shared hosting provider doesn't include. RTFM will be fine; just tell me
> > which Fine Manual to Read.
>
> Nothing too exotic at all, Paul. Check out cURL:
>
> http://php.net/curl

Okay, I've figured out how to shove the data through cURL to the
receiving URL, but then it occurred to me that the client browser must
go there *as well*.

Will curl_exec() do that on its own, or is there a parameter I need to
feed it?

Paul

--
Paul M. Foster

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: POST without POSTing

On Thu, Oct 1, 2009 at 16:14, Paul M Foster wrote:
>
> Okay, I've figured out how to shove the data through cURL to the
> receiving URL, but then it occurred to me that the client browser must
> go there *as well*.
>
> Will curl_exec() do that on its own, or is there a parameter I need to
> feed it?

So you need to have the *client* post the information? You may
want to look into a JavaScript solution, like an
onload/document.form.post action.

--

daniel.brown@parasane.net || danbrown@php.net
http://www.parasane.net/ || http://www.pilotpig.net/
Check out our great hosting and dedicated server deals at
http://twitter.com/pilotpig

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: POST without POSTing

Paul M Foster wrote:
> I'm sure this has been covered before, but I'm not even sure how to
> search in the archives for it.
>
> I have a form that collects certain info via POST. It is re-entrant, so
> when the user hits the "submit" button, it checks the input and does
> whatever sanity checks it needs to. If all is okay, it must now pass
> some of that info to another URL (offsite) via POST. Normally, the
> information would be passed via a series of GET variables or SESSION
> variables. But in this case the site the user is being directed to must
> receive the information via POST.
>
> I'm not sure how to do this. Please no exotic external libraries my
> shared hosting provider doesn't include. RTFM will be fine; just tell me
> which Fine Manual to Read.
>
> Paul
>

Answering in general to a lot of the above responses.

You don't need to care if the 'foreign' host supports fsockopen or curl,
only if your form hosting host does. (Boy that looks more confusing in
re-read than it felt writing it ;D ... )

To the foreign redirect target, both curl and fsockopen are supposed to
look like a browser hitting the site.

So if your site allows curl or fsockopen, then you're golden.

jeff

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: POST without POSTing

On Thu, Oct 01, 2009 at 04:23:46PM -0400, Daniel Brown wrote:

> On Thu, Oct 1, 2009 at 16:14, Paul M Foster wrote:
> >
> > Okay, I've figured out how to shove the data through cURL to the
> > receiving URL, but then it occurred to me that the client browser must
> > go there *as well*.
> >
> > Will curl_exec() do that on its own, or is there a parameter I need to
> > feed it?
>
> So you need to have the *client* post the information? You may
> want to look into a JavaScript solution, like an
> onload/document.form.post action.

Javascript would be a bad solution. If the user has this turned off,
they can't use the site.

Let me be less opaque. This is a page where a user will fill in some
personal information, and then select an amount to donate to this cause.
The intent is to pass some information that the merchant service company
needs (like merchant number and item selected) to their secure URL. The
problem is that, before I just pass the information off to them, I want
to make sure the user has properly filled out this form. So I have to
validate it. That's done in the background on the server, naturally. But
once the validating is done, it's time to send the user off to the
secure site with a payload of POST variables. At that point, the user
will enter credit card info and such, and continue the transaction.

So I need to find a way to direct the user's browser to the secure site
with their payload of POST variables. The more I look at this, the more
it looks like cURL won't do it, and Javascript has the obvious down
side.

I'm afraid the only way to do this may be to validate everything, pass
the values off to a confirmation page, where the user has to hit
"Proceed", and *that* page goes directly to the secure server with its
POST payload.

If anyone has a better idea, let me know. Hopefully I've explained it
adequately to make the problem clear.

Paul

--
Paul M. Foster

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: POST without POSTing

> to make sure the user has properly filled out this form. So I have to
> validate it. That's done in the background on the server, naturally. But
> once the validating is done, it's time to send the user off to the
> secure site with a payload of POST variables. At that point, the user
> will enter credit card info and such, and continue the transaction.

You're describing what a 307 redirect is supposed to accomplish:

header("Location: $secure_url", TRUE, 307);

But I've heard that not all browsers comply with the HTTP spec on this
point. Might be worth testing a bit, though -- maybe your typical
audience doesn't tend to use non-compliant browsers.

> So I need to find a way to direct the user's browser to the secure site
> with their payload of POST variables. The more I look at this, the more
> it looks like cURL won't do it, and Javascript has the obvious down
> side.
>
> I'm afraid the only way to do this may be to validate everything, pass
> the values off to a confirmation page, where the user has to hit
> "Proceed", and *that* page goes directly to the secure server with its
> POST payload.

That might actually be the best solution because it's the most
transparent, from the user's point-of-view. A 307 is going to cause
many browsers to pop up a confirmation dialog, which will freak some
users out -- and will break people's flow a lot more than would a
smoothly-executed two-stage submit.

Ben

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php