For a php://input introduction, the PHP Official Handbook document has a very clear overview of it.
"Php://input allows to read raw POST data. It is a less memory intensive alternative to $HTTP _raw_post_data and does no need any special php.ini. Php://input is isn't available with enctype= "Multipart/form-data".
Translation over, is this:
"Php://input can read post data that has not been processed. Compared to $http_raw_post_data, it brings less pressure on memory and does not require special php.ini settings. Php://input cannot be used for Enctype=multipart/form-data "
What should we do to understand this overview?! I divided it into three parts, gradually to understand.
Reading post data
cannot be used for multipart/form-data types
Php://input VS $HTTP _raw_post_data
Reading post data
Phper must be familiar with the built-in variable $_post. What are the correlations and differences between $_post and php://input? In addition, the client interacts with the server side of the data, the most commonly used method in addition to post, there are get. Since Php://input is a PHP input stream, does it read get data? These two questions are the main elements that we need to explore in this section.
Experience tells us that it is a very effective way to summarize the tests and observations. Here, I wrote a few scripts to help us test.
@file 192.168.0.6:/phpinput_server.php to print out the received data
@file 192.168.0.8:/phpinput_post.php simulation submits form data by post method
@file 192.168.0.8:/phpinput_xmlrpc.php Impersonation to issue a XMLRPC request with a POST method.
@file 192.168.0.8:/phpinput_get.php simulate the number of forms submitted by a Get method
Phpinput_server.php and phpinput_post.php
The code is as follows |
Copy Code |
<?php @file phpinput_server.php $raw _post_data = file_get_contents (' php://input ', ' R '); echo "-------$_post------------------n"; echo Var_dump ($_post). "N"; echo "-------php://input-------------n"; Echo $raw _post_data. "N"; ?> <?php @file phpinput_post.php $http _entity_body = ' n= '. UrlDecode (' Perfgeeks '). ' &p= '. UrlDecode (' 7788 '); $http _entity_type = ' application/x-www-form-urlencoded '; $http _entity_length = strlen ($http _entity_body); $host = ' 192.168.0.6 '; $port = 80; $path = '/phpinput_server.php '; $fp = Fsockopen ($host, $port, $error _no, $error _desc, 30); if ($fp) { Fputs ($fp, "POST {$path} http/1.1rn"); Fputs ($FP, "Host: {$host}rn"); Fputs ($FP, "Content-type: {$http _entity_type}rn"); Fputs ($FP, "content-length: {$http _entity_length}rn"); Fputs ($fp, "connection:closernrn"); Fputs ($fp, $http _entity_body. "Rnrn");
while (!feof ($fp)) { $d. = Fgets ($fp, 4096); } Fclose ($FP); Echo $d; } ?> |
We can grab the HTTP request pack by using the tool Ngrep (because we need to be able to detect the php://input, so we only crawl the HTTP requests packet here). We're going to execute the test script phpinput_post.php
The code is as follows |
Copy Code |
@php/phpinput_post.php http/1.1 OK Date:thu, APR 03:23:36 GMT server:apache/2.2.3 (CentOS) x-powered-by:php/5.1.6 content-length:160 Connection:close content-type:text/html; Charset=utf-8 -------$_post------------------ Array (2) { ["N"]=> string (9) "Perfgeeks" ["P"]=> string (4) "7788" } -------Php://input------------- n=perfgeeks&p=7788
|
The HTTP request packets captured via Ngrep are as follows:
T 192.168.0.8:57846-> 192.168.0.6:80 [AP]
post/phpinput_server.php http/1.1.
Host:192.168.0.6..content-type:application/x-www-form-urlencoded.. Co
ntent-length:18..connection:close....n=perfgeeks&p=7788 .....
Careful observation, we are not difficult to find
1,$_post data, php://input data is "consistent" with httpd entity body data
The Content-type in the 2,http request is application/x-www-form-urlencoded, which means that the data in the body of the HTTP request is the form data submitted using the HTTP POST method and is UrlEncode () processing.
(Note: Note The bold part of the content, no longer prompted below).