I need to post some data from one server to another just like what a form does client side. Data (a few strings totalling ~500 charactors) is received on one server (and can only be received on this server) and has to be sent to another server so that it can be added to a database. However...
On the server which adds the info to the database:
allow_url_fopen = off (and can't be turned on!!)
which means fsock isn't an option
I thought this would be a really simple thing to do (because it is client side!) but I have no idea how I can solve this so many thanks for any help!
You'll use cURL to send it as a POST. This post on my page might help: cURL
It was written to allow file uploads, but it will help with other requests as well.
You'll use cURL to send it as a POST. This post on my page might help: cURL
It was written to allow file uploads, but it will help with other requests as well.
Cheers for the link TecBrat.
Originally Posted by Mindzai
Nope it will work
I'll give cURL a go then!
Do either of you guys know how curl sends the posts though? Does it just emulate the way a client would send a post using a form?
Right guys I tried cURL however, it's not working!
I've used curl_getinfo to find that when the post is made it is just forbidden by the server:
http_code = 403
Is it possible that the database surver knows that the post is been made by a server opposed to a browser (and has a problem with this) as when I post this using a HTML form, everything works fine!
If so, is there any way of making the post appear as if it has originated from a browser?
Do either of you guys know how curl sends the posts though? Does it just emulate the way a client would send a post using a form?
All POST requests end up being sent the same way regardless of how you make them, ie by opening a socket to the webserver and transmitting the data. This is the same if it's your browser, php's fopen or fsockopen, telnet from a unix terminal etc. They all provide varying levels of abstraction for the same thing. The reason cURL will work here, is because it uses an external library (libcurl) rather than PHP itself. The PHP cURL extension is basically a wrapper around this library's functionality.
The first rule of Tautology Club is the first rule of Tautology Club.
Is it possible that the database surver knows that the post is been made by a server opposed to a browser (and has a problem with this) as when I post this using a HTML form, everything works fine!
It's possible the server is doing something like checking the user agent string but that's easy to work around if so.
PHP Code:
curl_setopt($curl, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");
Have you tried sending the data as a querystring as using an array alters the headers slightly:
Another possibility is that the form hosted on the server generates a session variable that should exist during processing so it thinks you are hijacking a form processor.
I wondered that, but I go the impression the form that posted to server2 was hosted on server1 - can you clarify acestuff? If that's not the case you may be SOL here.
The first rule of Tautology Club is the first rule of Tautology Club.
Thanks very much for your previous explanations. I'll try your suggestions shortly.
As for clarification:
Server 1 has the data and posts to Server 2.
Server 2 then puts the info into the database which is on the same server.
I'm afraid I'm new to server side languages so I don't know what a session variable is but it's not something I've coded in. All my code is as simple as $_POST['data'] and then SQL.
What I'm trying to do is all a bit odd due to the different functionality abilities of the servers (they're free servers)...
Glad you got it sorted! It just goes to show what a pointless "security" technique user agent checks are!
Originally Posted by acestuff
I'm new to server side languages
Originally Posted by acestuff
$_POST['data'] and then SQL.
Those two phrases together fill me with dread! Make sure you are validating and escaping all external data (ie anything POSTed in this case) otherwise you may find youself the victim of SQL injection attacks (amongst other nastiness).
Last edited by Mindzai; 08-05-2010 at 12:57 PM.
The first rule of Tautology Club is the first rule of Tautology Club.
Glad you got it sorted! It just goes to show what a pointless "security" technique user agent checks are!
Yea, what a waste of time!
Originally Posted by Mindzai
Those two phrases together fill me with dread! Make sure you are validating and escaping all external data (ie anything POSTed in this case) otherwise you may find youself the victim of SQL injection attacks (amongst other nastiness).
Hehe I know :P I've got everything going through mysql_real_escape_string() and all requests are mostly hard coded so I hope it'll be okey...
My biggest concern is with sending data unsecurely - I don't know what the risks are. One of the things Server 2 is doing is a Paypal IPN so a client's Paypal ID, email address and delivary address are been sent from server-to-server without encryption. There is no read functionality to the database they are going into though so I don't think there is scope for SQL injection attacks thankfully. However, I probably I need to look into some kind of encryption thinking about it...
The other thing I haven't considered is if someone just sent loads of requests to create entries in the databases causing them to fill up with loads of rubbish. God only knows why someone would want to do this but it would be a real pain!
Security is not something I've had to think about before as I've only really written client side content.
Thanks for the tips.
Reply With Quote
Originally Posted by Mindzai
Make sure you are validating and escaping all external data (ie anything POSTed in this case) otherwise you may find youself the victim of SQL injection attacks (amongst other nastiness).
Bookmarks