Usage of php://input in PHP detail

The following example extracts a piece of code in WordPress, which is useful to http://input, and needs to be further studied.

The code is as follows	Copy Code
if (!isset ($HTTP _raw_post_data)) { $HTTP _raw_post_data = file_get_contents (' php://input '); } Fix for Mozblog and other cases where XML isn ' t on the very I if (Isset ($HTTP _raw_post_data)) $HTTP _raw_post_data = Trim ($HTTP _raw_post_data);

For the php://input introduction, the PHP Official Handbook document has a very clear overview of it in a word.

The code is as follows	Copy Code
"Php://input allows to read raw POST data. It is a less memory intensive alternative to $HTTP _raw_post_data and does no need any special php.ini. Php://input is isn't available with enctype= "Multipart/form-data".

Translation into Chinese is:

"Php://input can read post data that has not been processed. Compared to $http_raw_post_data, it brings less pressure on memory and does not require special php.ini settings. Php://input cannot be used for Enctype=multipart/form-data "

Reading post data phper must be familiar with the built-in variable $_post. What are the correlations and differences between $_post and php://input? In addition, the client interacts with the server side of the data, the most commonly used method in addition to post, there are get. Since Php://input is a PHP input stream, does it read get data? These two questions are the main elements that we need to explore in this section.
Experience tells us that it is a very effective way to summarize the tests and observations. Here, I wrote a few scripts to help us test.

@file 192.168.0.6:/phpinput_server.php to print out the received data
@file 192.168.0.8:/phpinput_post.php simulation submits form data by post method
@file 192.168.0.8:/phpinput_xmlrpc.php Impersonation to issue a XMLRPC request with a POST method.
@file 192.168.0.8:/phpinput_get.php Simulation phpinput_server.php and phpinput_post.php with a Get method of submitting form tables

The code is as follows

Copy Code

<?php @file phpinput_server.php $raw _post_data = file_get_contents (' php://input ', ' R '); echo "-------$_post------------------n"; echo Var_dump ($_post). "N"; echo "-------php://input-------------n"; Echo $raw _post_data. "N"; ?> ? <?php @file phpinput_post.php $http _entity_body = ' n= '. UrlDecode (' Perfgeeks '). ' &amp;p= '. UrlDecode (' 7788 '); $http _entity_type = ' application/x-www-form-urlencoded '; $http _entity_length = strlen ($http _entity_body); $host = ' 192.168.0.6 '; $port = 80; $path = '/phpinput_server.php '; $fp = Fsockopen ($host, $port, $error _no, $error _desc, 30); if ($fp) { Fputs ($fp, "POST {$path} http/1.1rn"); Fputs ($FP, "Host: {$host}rn"); Fputs ($FP, "Content-type: {$http _entity_type}rn"); Fputs ($FP, "content-length: {$http _entity_length}rn"); Fputs ($fp, "connection:closernrn"); Fputs ($fp, $http _entity_body. "Rnrn"); ? while (!feof ($fp)) { $d. = Fgets ($fp, 4096); } Fclose ($FP); Echo $d; } ?>

We can grab the HTTP request pack by using the tool Ngrep (because we need to be able to detect the php://input, so we only crawl the HTTP requests packet here). We're going to execute the test script phpinput_post.php

code is as follows

copy code

@php/ phpinput_post.phphttp/1.1 OK Date:thu, 03:23:36 GMT server:apache/2.2.3 (CentOS) X-powered-b y:php/5.1.6 content-length:160 connection:close content-type:text/html; charset=utf-8 -------$_ POST------------------ Array (2) {   ["n"]=> string (9) "Perfgeeks"   ["P"]=> string (4) "7788" } -------php://input------------- n=perfgeeks&p=7788 The HTTP request packets captured by Ngrep are as follows: T 192.168.0.8:57846-> 192.168.0.6:80 [AP]   post/phpinput_server.php http/1.1.   Host: 192.168.0.6..content-type:application/x-www-form-urlencoded.. Co   ntent-length:18..connection:close....n=perfgeeks&p=7788 ...

Careful observation, we are not difficult to find
1,$_post data, php://input data is "consistent" with httpd entity body data
The Content-type in the 2,http request is application/x-www-form-urlencoded, which means that the data in the body of the HTTP request is the form data submitted using the HTTP POST method and is UrlEncode () processing.
(Note: Note The bold part of the content, no longer prompted below). Http://www.k686.com

Let's take a look at the original file content of the script phpinput_xmlrpc.php, which simulates an XML-RPC request submitted by a POST method.

The code is as follows

Copy Code

<?php @file phpinput_xmlrpc.php $http _entity_body = "nn Jt_userinfon"; $http _entity_type = ' text/html '; $http _entity_length = strlen ($http _entity_body); $host = ' 192.168.0.6 '; $port = 80; $path = '/phpinput_server.php '; $fp = Fsockopen ($host, $port, $error _no, $error _desc, 30); if ($fp) { Fputs ($fp, "POST {$path} http/1.1rn"); Fputs ($FP, "Host: {$host}rn"); Fputs ($FP, "Content-type: {$http _entity_type}rn"); Fputs ($FP, "content-length: {$http _entity_length}rn"); Fputs ($fp, "connection:closernrn"); Fputs ($fp, $http _entity_body. "Rnrn"); while (!feof ($fp)) { $d. = Fgets ($fp, 4096); } ? Fclose ($FP); Echo $d; } ?>

Again, let's execute this test script

The code is as follows	Copy Code
@php/phpinput_xmlrcp.phphttp/1.1 OK Date:thu, APR 03:47:18 GMT server:apache/2.2.3 (CentOS) x-powered-by:php/5.1.6 content-length:154 Connection:close content-type:text/html; Charset=utf-8 -------$_post------------------ Array (0) { } -------Php://input------------- <?xml version= "1.0" > <methodcall> <name>jt_userinfo</name> </methodcall>

When executing this script, the HTTP request packets we crawled through the ngrep are as follows

T 192.168.0.8:45570-> 192.168.0.6:80 [AP]
post/phpinput_server.php http/1.1.
Host:192.168.0.6..content-type:text/html.. Content-length:75..connec
Tion:close....<?xml version= "1.0" >.<METHODCALL>. <name>jt_userinfo<
/name>.</methodcall> Similarly, I can easily find the sample:
The Content-type in the 1,http request is text/xml. It indicates that the body data in an HTTP request is an XML data format.
2, the service-side $_post print out is an empty array, which is inconsistent with the HTTP entity body. This is not the same as the previous example, where the Content-type is text/xml, not application/x-www-form-urlencoded
3, and the Php://input data is consistent with the HTTP entity body data. That is, php://input data is inconsistent with $_post data.

Let's take a look at the case where the form data is submitted through the Get method, can php://input read the form data of the Got method? Here, we change the phpinput_server.php file slightly, change $_post to $_get.

The code is as follows

Copy Code

<?php // @file phpinput_server.php $raw _post_data = file_get_contents (' php://input ', ' R '); Echo-------$_ Get------------------n "; Echo var_dump ($_get). "N"; echo "-------php://input-------------n"; The Echo $raw _post_data. "N"; ? ? <?php //@file phpinput_get.php $query _path = ' n= '. UrlDecode (' Perfgeeks '). ' &amp;p= '. UrlDecode (' 7788 '); $host = ' 192.168.0.6 '; $port = 80; $path = '/phpinput_server.php '; $d = '; $fp = Fsockopen ($host, $port, $error _no, $error _desc, 30); if ($fp) {   fputs ($fp, "get {$path}?{ $query _path} http/1.1rn ");   fputs ($fp, "Host: {$host}rn");   fputs ($fp, "connection:closernrn"); ?   while (!feof ($fp)) {     $d. = Fgets ($fp, 4096);  }   fclose ($fp); & nbsp Echo $d;  } ?

Similarly, we execute the next phpinput_get.php test script, which simulates a typically get method to submit the form data.

code is as follows

copy code

@php/phpinput_get.phphttp/1.1 OK Date:thu, April 07:38:15 GMT server:apache/2.2.3 (CentOS) x-powered-by:php/5.1.6 content-length:141 Connection:close content-type:text/html; Charset=utf-8 -------$_get------------------ Array (2) {   ["n"]=>   String (9) Perfgeeks "   [" P "]=>   String (4)" 7788 " } -------Php://input-------------at this time, Using the Ngrep tool, the corresponding HTTP request packets captured are the following T 192.168.0.8:36775-> 192.168.0.6:80 [AP]   get/phpinput_server.php?n =perfgeeks&p=7788 http/1.1.   Host:192.168.0.6..connection:close ...

Compares the HTTP request submitted by the Post method, in which the entity body is usually empty in the request submitted by the Get method. At the same time, Content-type and content-length are not specified. However, if the hard data HTTP entity body, and indicates that the correct content-type and content-length, then php://input also read the HTTP entity body data, but not $_get data.

Summary of Php://input usage in practice:

1, only when Content-type is application/x-www-data-urlencoded, php://input data is consistent with $_post data.
2, PHP does not recognize the type of Content-type, the HTTP request package will be filled with the corresponding data in the variable $http_raw_post_data
3, only when Coentent-type is Multipart/form-data, PHP will not fill the HTTP request packets of the corresponding data into the php://input, otherwise will be. The length of the fill, specified by Coentent-length.
4, Coentent-type only in the value of application/x-www-data-urlencoded and Multipart/form-data two, PHP will be the HTTP request packet in the corresponding data into the global variable $_ POST.
5, Php://input data is always the same as the $http_raw_post_data, but php://input than $http_raw_post_data more effective, and do not need special settings php.ini
6, PHP will be the path of the Query_path part of the field, fill in the global variable $_get. Php://input does not read $_get data because $_get data is written as Query_path in the Path field of the HTTP request header (header) instead of the body part of the HTTP request.