PHP: POST Request to ASP.NET website results in 500 server error when html tags included

Question

My situation: I need to send text to an ASP.NET web service using POST. The entire page there is a form:

<form name="aspnetForm" method="post" action="Discussion.aspx?classroom=lG39il1cotOAGJwiNvmQlIPfwmjikD%2fAHLhjjGInAZQ%3d&amp;Page=Posts&amp;ID=794239&amp;Sort=&amp;SortOrder=" id="aspnetForm">

So, I figured if I sent a POST request to this form with the correct inputs it would work. And, to an extent, it has. The form inputs are as follows:

<input type="hidden" name="__EVENTTARGET" id="__EVENTTARGET" value="" />
<input type="hidden" name="__EVENTARGUMENT" id="__EVENTARGUMENT" value="" />
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDw..." />
<input type="hidden" name="__EVENTVALIDATION" id="__EVENTVALIDATION" value="/wEWYQLrt..." />

And a bunch of other inputs. The code I have used is as follows:

// grab form info
    $inputs = extract_form_inputs($discussion['body']);
    $inputs['__EVENTTARGET']                    = 'ctl00$cphMain$ctl01$btnSubmit';
    $inputs['ctl00$cphMain$ctl01$tbNickname']   = "Your Instructor";
    $inputs['ctl00$cphMain$ctl01$reMessage']    = $message;

    // submit form
    $r = request_send($discussion['url'], $inputs);

extract_form_inputs does exactly that. $discussion['body'] is the content of the page. $discussion['url'] is the URL of the page. request_send has two arguments: ($url, $post_array). It performs rawurlencode on each element of the array and joins them up as keypairs, in the same way as http_build_query.

The request is url encoded properly, sent to the correct page, and works fine until I insert html tags. I have checked - the 'greater than' and 'less than' symbols ('<' and '>') are url-encoded properly. However, the server responds with a 500 error. It accepts any other text.

Has anyone else come across this sort of problem?

Is there some setting on an ASP.NET server that denies html? I can't see this being the case - there is a rich text editor on the website that I am sending requests to. This text editor performs the same request as I am, only I am doing it remotely. The rich text editor sends html to the form - I have checked that, too, using javascript.

Note: I do not have the power to modify the ASP.NET server.

Answer 1

Maybe the validateRequest flag/attribute is set and therefore your data is considered harmful and rejected.

Answer 2

You could use something like firebug or fiddler2 to log the actual request your browser sends and then compare it to your script's request. Can you log all the data request_send() sends, including all headers? Depending on how request_send() works you might be able to route it through fiddler, too, which perhaps makes it easier to compare the requests, e.g. when I run

$ctx = stream_context_create(array('http'=>array('proxy'=>'tcp://localhost:8888')));
file_get_contents('http://php.net', 0, $ctx);

the requests shows up in fiddler (8888 being fiddler's default proxy port).

edit: Do you only receive a 500 Internal Server Error or does the response contain more information? In case php doesn't fetch or doesn't return the response body you might want to look that up in fiddler, too.

Answer 3

I have compared the results and found that the website stupidly url-encodes the messages twice before submitting. Not even full url-encoding - it misses most unwanted characters. Still, the formatting now works - I just url-encode the message twice before sending and it comes out fine on the other end.

Thanks for the help!