views:

698

answers:

4

Actually, it's gotten so messy that I'm not even sure curl is the culprit. So, here's the php:

$creds = array(
    'pw' => "xxxx",
    'login' => "user"
    );

$login_url = "https://www.example.net/login-form"; //action value in real form.
$loginpage = curl_init();

curl_setopt($loginpage, CURLOPT_HEADER, 1);
curl_setopt($loginpage, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($loginpage, CURLOPT_URL, $login_url);
curl_setopt($loginpage, CURLOPT_POST, 1);
curl_setopt($loginpage, CURLOPT_POSTFIELDS, $creds);

$response = curl_exec($loginpage);
echo $response;

I get the headers (which match the headers of a normal, successful request), followed by the login page (I'm guessing curl captured this due to a redirect) which has an error to the effect of "Bad contact type".

I thought the problem was that the request had the host set to the requesting server, not the remote server, but then I noticed (in Firebug), that the request is sent as GET, not POST.

If I copy the login site's form, strip it down to just the form elements with values, and put the full URL for the action, it works just great. So I would think this isn't a security issue where the login request has to originate on the same server, etc. (I even get rid of the empty hidden values and all of the JS which set some of the other cookies).

Then again, I get confused pretty quickly.

Any ideas why it's showing up as GET, or why it's not working, for that matter?

+1  A: 

The request is made from the server, and will not show up in Firebug. (You probably confused it with another request by your browser). Use wireshark to find out what really happens. You are not setting CURLOPT_FOLLOWLOCATION; redirects should not be followed.

Summarizing: Guess less, post more. Link to a pcap dump, and we will be able to tell exactly what you're doing wrong; or post the exact output of the php script, and we might.

phihag
Thanks for the heads up. When I did an almost identical curl_exec to another server, I saw a POST (with the form values I set), so I thought firebug (in the Net tab) was accurate. Just to be sure, I use wireshark on my local machine? I'm guessing no since the request is server-side. How do I configure it for the server?
Anthony
@Anthony wireshark has to be run either on the machine php is running on or the one you're sending the request to. If wireshark is not installed there, look for tcpdump. I'm quite interested in curl-related stuff, so if you have further questions that don't fit into this box, don't hesitate to contact me via IM or email (See my profile for addresses).
phihag
+1  A: 

The shown code does a multipart formpost (since you pass a hash array to the POSTFIELDS option), which probably is not what the target server expects.

Daniel Stenberg
A: 

try throwing in a print_r(curl_getinfo($loginpage)) at the end, see what the header data it sent back as.

also, if your trying to fake that your logging in from their site, your going to want to make sure your sending the correct referrer with your post, so that they "think" you were on the website when you sent it.

Uberfuzzy
A: 

When troubleshooting the entire class of PHP-cURL-related problems, you simply have to turn on CURLOPT_VERBOSE and give CURLOPT_STDERR a file handle.

tail -f your file, compare the headers and response to the ones you see in Firebug, and the problem should become clear.