How to do a server-to-server post?

This site is best viewed in a modern browser with JavaScript enabled.

acestuff

I need to post some data from one server to another just like what a form does client side. Data (a few strings totalling ~500 charactors) is received on one server (and can only be received on this server) and has to be sent to another server so that it can be added to a database. However...

On the server which adds the info to the database:
allow_url_fopen = off (and can't be turned on!!)
which means fsock isn't an option

I thought this would be a really simple thing to do (because it is client side!) but I have no idea how I can solve this so many thanks for any help!

Mindzai

cURL would be the best way if you have it available on the server.

acestuff

Mindzai;1106562 wrote:
cURL would be the best way if you have it available on the server.

Thanks for the reply!
Yup cURL is available on the server. Does this library just use fsock to post data though? If so it's not an option.

TecBrat

You'll use cURL to send it as a POST. This post on my page might help:
cURL
It was written to allow file uploads, but it will help with other requests as well.

Mindzai

acestuff;1106563 wrote:
Thanks for the reply!
Yup cURL is available on the server. Does this library just use fsock to post data though? If so it's not an option.

Nope it will work

acestuff

TecBrat;1106566 wrote:
You'll use cURL to send it as a POST. This post on my page might help:
cURL
It was written to allow file uploads, but it will help with other requests as well.

Cheers for the link TecBrat.

Mindzai;1106567 wrote:
Nope it will work

I'll give cURL a go then!

Do either of you guys know how curl sends the posts though? Does it just emulate the way a client would send a post using a form?

acestuff

Right guys I tried cURL however, it's not working!

I've used curl_getinfo to find that when the post is made it is just forbidden by the server:
http_code = 403

Is it possible that the database surver knows that the post is been made by a server opposed to a browser (and has a problem with this) as when I post this using a HTML form, everything works fine!

If so, is there any way of making the post appear as if it has originated from a browser?

Here's my code:

        $url = "http://my_database_server.com/test.php";

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_POST, true);

$data = array	(
	"test_value"   =>   "true"
);

curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
$output = curl_exec($ch);
$info = curl_getinfo($ch);
curl_close($ch);

Mindzai

acestuff;1106569 wrote:
Do either of you guys know how curl sends the posts though? Does it just emulate the way a client would send a post using a form?

All POST requests end up being sent the same way regardless of how you make them, ie by opening a socket to the webserver and transmitting the data. This is the same if it's your browser, php's fopen or fsockopen, telnet from a unix terminal etc. They all provide varying levels of abstraction for the same thing. The reason cURL will work here, is because it uses an external library (libcurl) rather than PHP itself. The PHP cURL extension is basically a wrapper around this library's functionality.

Mindzai

acestuff;1106599 wrote:
Is it possible that the database surver knows that the post is been made by a server opposed to a browser (and has a problem with this) as when I post this using a HTML form, everything works fine!

It's possible the server is doing something like checking the user agent string but that's easy to work around if so.

curl_setopt($curl, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");

Have you tried sending the data as a querystring as using an array alters the headers slightly:

curl_setopt($ch, CURLOPT_POSTFIELDS, 'test_value=data');

criterion9

Another possibility is that the form hosted on the server generates a session variable that should exist during processing so it thinks you are hijacking a form processor.

Mindzai

I wondered that, but I go the impression the form that posted to server2 was hosted on server1 - can you clarify acestuff? If that's not the case you may be SOL here.

acestuff

Thanks very much for your previous explanations. I'll try your suggestions shortly.

As for clarification:
Server 1 has the data and posts to Server 2.
Server 2 then puts the info into the database which is on the same server.

I'm afraid I'm new to server side languages so I don't know what a session variable is but it's not something I've coded in. All my code is as simple as $_POST['data'] and then SQL.

What I'm trying to do is all a bit odd due to the different functionality abilities of the servers (they're free servers)...

acestuff

Mindzai;1106602 wrote:
It's possible the server is doing something like checking the user agent string but that's easy to work around if so.
curl_setopt($curl, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"); 

Yes!! That was obviously the problem because it's working now! Thank you very much for your help

Mindzai

Glad you got it sorted! It just goes to show what a pointless "security" technique user agent checks are!

acestuff;1106663 wrote:
I'm new to server side languages

acestuff;1106663 wrote:
$_POST['data'] and then SQL.

Those two phrases together fill me with dread! :p Make sure you are validating and escaping all external data (ie anything POSTed in this case) otherwise you may find youself the victim of SQL injection attacks (amongst other nastiness).

acestuff

Mindzai;1106686 wrote:
Glad you got it sorted! It just goes to show what a pointless "security" technique user agent checks are!

Yea, what a waste of time!

Mindzai;1106686 wrote:
Those two phrases together fill me with dread! :p Make sure you are validating and escaping all external data (ie anything POSTed in this case) otherwise you may find youself the victim of SQL injection attacks (amongst other nastiness).

Hehe I know I've got everything going through mysql_real_escape_string() and all requests are mostly hard coded so I hope it'll be okey...

My biggest concern is with sending data unsecurely - I don't know what the risks are. One of the things Server 2 is doing is a Paypal IPN so a client's Paypal ID, email address and delivary address are been sent from server-to-server without encryption. There is no read functionality to the database they are going into though so I don't think there is scope for SQL injection attacks thankfully. However, I probably I need to look into some kind of encryption thinking about it...

The other thing I haven't considered is if someone just sent loads of requests to create entries in the databases causing them to fill up with loads of rubbish. God only knows why someone would want to do this but it would be a real pain!

Security is not something I've had to think about before as I've only really written client side content.
Thanks for the tips.

NogDog

Mindzai;1106686 wrote:
Glad you got it sorted! It just goes to show what a pointless "security" technique user agent checks are!

I suppose it stops some casual "script kiddie" novices who might try to access it via file_get_contents() or such, but it certainly won't stop any serious, semi-skilled web coder.

acestuff

NogDog;1106696 wrote:
I suppose it stops some casual "script kiddie" novices who might try to access it via file_get_contents() or such, but it certainly won't stop any serious, semi-skilled web coder.

Yea you're right.
It nearly stopped me in getting my server-to-server curl post to work!

NogDog

acestuff;1106697 wrote:
Yea you're right.
It nearly stopped me in getting my server-to-server curl post to work!

Perhaps you are a novice in this area, but you were serious enough to work on finding a solution.

acestuff

NogDog;1106698 wrote:
Perhaps you are a novice in this area, but you were serious enough to work on finding a solution.

Yup I'm a complete novice but it did occur to me that such a check might be made

Earlier post:

Is it possible that the database surver knows that the post is been made by a server opposed to a browser (and has a problem with this) as when I post this using a HTML form, everything works fine!

If so, is there any way of making the post appear as if it has originated from a browser?

If it wasn't for Mindzai though, it probably would have took me all day to figure out how to change the user agent!

Mindzai

Lucky guess

Re the encrypted transfer, you can use SSL/TLS with cURL if the server has a valid CA certificate. The process is explained well here.