HTTP Request Methods
The Internet’s HTTP protocol, commonly used to fetch Web pages, defines a number of
“methods” that browsers can use to send requests and data to Web servers. Of the available
methods, the two most important are the GET method and the POST method.
GET is the “default” method for the Internet, used whenever you request a page with your browser. All data in the request must be encoded in the URL.
POST is most often used for submitting forms. It allows additional form data to be sent with the request. HTML lets you specify the method to use for each formtag. Although GET is the default, it is most common to use POST, which avoids cluttering the URL with the submitted data.
Use the POST method when declaring your form in HTML. This prevents
form values from appearing in the URL, and allows a larger amount of data
to be submitted through the form.
Use PHP’s htmlspecialcharsfunction when populating form fields with
PHP values, to avoid malformed HTML.
PHP has its own wrappers for Curl, so we can use the same tool from within
PHP. A simple GETrequest looks like this:
<?php
$url = "http://oreilly.com";
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$result = curl_exec($ch);
curl_close($ch);
?>
The previous example is the simplest form, setting the URL, making a request to its
location (by default this is a GET request), and capturing the output. Notice the use of
curl_setopt(); this function is used to set many different options on Curl handles and
it has excellent and comprehensive documentation on http://php.net. In this example,
it is used to set the CURLOPT_RETURNTRANSFERoption to true, which causes Curl to return
the results of the HTTP request rather than outputthem. In most cases, this option
should be used to capture the response rather than letting PHP echo it as it happens.
We can use this extension to make all kinds of HTTP requests, including sending custom
headers, sending body data, and using different verbs to make our request.
If you use normal HTTP, form data will be sent in “clear text” over the Internet
from the browser to the server. This means it can be intercepted by someone
using a packet sniffer. When you send confidential information such as financial details,
use an encryption technology such as SSL.
<?php
$url = "http://requestb.in/example";
$data = array("name" => "Lorna", "email" => "lorna@example.com");
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($data));
curl_setopt($ch, CURLOPT_HTTPHEADER,
array('Content-Type: application/json')
);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$result = curl_exec($ch);
curl_close($ch);
?>
Again, curl_setopt()is used to control the various aspects of the request we send.
Here, a POSTrequest is made by setting the CURLOPT_POSToption to 1, and passing the
data we want to send as an array to the CURLOPT_POSTFIELDSoption. We also set a
Content-Typeheader, which indicates to the server what format the body data is in; the
various headers
Assuming magic quotes is disabled on your server, and you have no other measures
in place to prevent it, this clever attack alters the meaning of the query:
SELECT * FROM users
WHERE username='' AND password='' OR username LIKE '%'
The modified query will select allrecords in the user table! When the script checks
whether any users matched the supplied user name and password combination,
it will see this big result set and grant access to the site
This can be prevented if we escape the incoming variables:
$sql = "SELECT * FROM users
WHERE username='" . safeEscapeString($_POST['username']). "'
AND password='" . safeEscapeString($_POST['password']). "'";
In some cases, depending on the circumstances, this may not be necessary.
GET is the “default” method for the Internet, used whenever you request a page with your browser. All data in the request must be encoded in the URL.
POST is most often used for submitting forms. It allows additional form data to be sent with the request. HTML lets you specify the method to use for each formtag. Although GET is the default, it is most common to use POST, which avoids cluttering the URL with the submitted data.
Use the POST method when declaring your form in HTML. This prevents
form values from appearing in the URL, and allows a larger amount of data
to be submitted through the form.
Use PHP’s htmlspecialcharsfunction when populating form fields with
PHP values, to avoid malformed HTML.
PHP has its own wrappers for Curl, so we can use the same tool from within
PHP. A simple GETrequest looks like this:
<?php
$url = "http://oreilly.com";
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$result = curl_exec($ch);
curl_close($ch);
?>
The previous example is the simplest form, setting the URL, making a request to its
location (by default this is a GET request), and capturing the output. Notice the use of
curl_setopt(); this function is used to set many different options on Curl handles and
it has excellent and comprehensive documentation on http://php.net. In this example,
it is used to set the CURLOPT_RETURNTRANSFERoption to true, which causes Curl to return
the results of the HTTP request rather than outputthem. In most cases, this option
should be used to capture the response rather than letting PHP echo it as it happens.
We can use this extension to make all kinds of HTTP requests, including sending custom
headers, sending body data, and using different verbs to make our request.
If you use normal HTTP, form data will be sent in “clear text” over the Internet
from the browser to the server. This means it can be intercepted by someone
using a packet sniffer. When you send confidential information such as financial details,
use an encryption technology such as SSL.
<?php
$url = "http://requestb.in/example";
$data = array("name" => "Lorna", "email" => "lorna@example.com");
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($data));
curl_setopt($ch, CURLOPT_HTTPHEADER,
array('Content-Type: application/json')
);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$result = curl_exec($ch);
curl_close($ch);
?>
Again, curl_setopt()is used to control the various aspects of the request we send.
Here, a POSTrequest is made by setting the CURLOPT_POSToption to 1, and passing the
data we want to send as an array to the CURLOPT_POSTFIELDSoption. We also set a
Content-Typeheader, which indicates to the server what format the body data is in; the
various headers
Assuming magic quotes is disabled on your server, and you have no other measures
in place to prevent it, this clever attack alters the meaning of the query:
SELECT * FROM users
WHERE username='' AND password='' OR username LIKE '%'
The modified query will select allrecords in the user table! When the script checks
whether any users matched the supplied user name and password combination,
it will see this big result set and grant access to the site
This can be prevented if we escape the incoming variables:
$sql = "SELECT * FROM users
WHERE username='" . safeEscapeString($_POST['username']). "'
AND password='" . safeEscapeString($_POST['password']). "'";
In some cases, depending on the circumstances, this may not be necessary.