Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

php://input <> $_POST?

Tags:

json

php

input

firefox

I'm experimenting with Firefox's Content Security Policy. Basically it's a special header for the webpage that tells the browser which resources are valid.

When some resource is invalid because it's breaks the policy, Firefox sends a report to a given URI in json format.

This is a typical report

array(1) {
  ["csp-report"]=>
  array(4) {
    ["request"]=>
    string(71) "GET http://example.com/?function=detail&id=565 HTTP/1.1"
    ["request-headers"]=>
    string(494) "Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:2.0b10pre) Gecko/20110115 Firefox/4.0b10pre
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ar,en-us;q=0.8,es;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Accept-Charset: UTF-8,*
Keep-Alive: 115
Connection: keep-alive
Referer: http://example.com/index.php?function=search&query=Pata+de+cambio+
Cookie: the cookie
"
    ["blocked-uri"]=>
    string(4) "self"
    ["violated-directive"]=>
    string(30) "inline script base restriction"
  }
}

The content type is application/json; charset=UTF-8

Now. I would expect this to be avaliable in $_POST as REQUEST_METHOD==POST but post is always empty. I can access it from php://input, but the question is: Why the request isn't avaliable in $_POST?

I can't even use filter_input and $_REQUEST is empty...

like image 337
The Disintegrator Avatar asked Dec 04 '22 09:12

The Disintegrator

2 Answers

$_POST gives you form variables, which show up in the page like this:

POST /some_path HTTP/1.1

myvar=something&secondvar=somethingelse

But what you're getting isn't a valid query string. It probably looks something like this:

POST /some_path HTTP/1.1

{'this':'is a JSON object','notice':'it\'s not a valid query string'}

php://input gives you everything after the headers in raw form, so in this case I think it's the only way to get what you want.

like image 54
Brendan Long Avatar answered Dec 09 '22 15:12

Brendan Long

If a request is sent as POST it is not necessarily encoded as normal application/x-www-form-urlencoded or multipart/form-data. Should Firefox send a JSON body, then PHP doesn't know how to decode it.

You have to check $_SERVER["HTTP_CONTENT_TYPE"]. If it contains application/json then you must indeed read php://stdin:

if (stripos($_SERVER["HTTP_CONTENT_TYPE"], "application/json")===0) {
     $_POST = json_decode(file_get_contents("php://input"));
// or something like that
like image 35
mario Avatar answered Dec 09 '22 16:12

mario
Sign in to Comment

Related questions

php: create directory on form submit?
Check if directory path ends with DIRECTORY_SEPARATOR
Foreach loop with multiple arrays
What is a django-like framework for PHP with auto-generated CRUD pages? [closed]
Getting hostname or IP address of server in PHP
Is this conditional check overkill?
Concatenate two variables to obtain one
How to get IP from "http://" or "www" in PHP?
PHP - replace values of array with another array
Zend_Session: Session must be started before any output has been sent to the browser
php: how to read only txt files in a directory
EOD not ending?
Access Variable variables with an object
PHP - String manipulation remove spcial characters and replace spaces
PHP - Server side variables that will "live" for ever?
I need a book for advanced MySQL in PHP [closed]
How to generate 5 digit alphanumeric unique ID using codeigniter?
XMLRPC Zend_Http_Client_Adapter_Exception' with message 'Read timed out after 10 seconds
PHP: go back to the start of loop using a sort of 'break'?
"php --help" results in "PHP memory exhausted" error on Ubuntu

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!