-2

I am reading about PHP and backbone.js. Many people seem to be doing file_get_contents("php://input") to read the data sent from the server. Most people agree that this works, but no one seems to explain why or how this works. According to the PHP docs, this functions reads a file into a string. But what does the "php://input" URL point to? Is this a file that is created on every request, an alternative to using $_POST, or what? Thx for any info on this!

tutiplain
  • 1,427
  • 4
  • 19
  • 37
  • 2
    A quick [Google search](http://www.google.com/search?q=php:%2F%2Finput) can go quite far these days! Especially when the [*top result*](http://php.net/manual/en/wrappers.php.php) is the official site explaining *exactly* what it is. – Jonathon Reinhart Sep 03 '13 at 01:02
  • 9
    Zero research effort. – Havenard Sep 03 '13 at 01:03
  • I don't get it, my question was closed as being off-topic, for lack of research, while this question here [link](http://stackoverflow.com/questions/1335851/what-does-use-strict-do-in-javascript-and-what-is-the-reasoning-behind-it?rq=1) is quite similar and not closed. The question did not include code to reproduce the problem, its answer is easily "googable" and the person did not present minimal understanding of the topic. What is the difference between that question and mine that makes it on-topic? I ask not to spark debate, but to better ask questions in the future. – tutiplain Oct 10 '13 at 16:40

1 Answers1

2

php://input allows you to read the raw data from a request, rather than relying on $_POST, which will be empty or invalid if the request is using some special format.

You can get the full details on this and other PHP wrappers here

  • +1, on a somewhat related note, PayPal uses `input` for its IPNs example for another step at security. (Because the $_POST variable is easily editable where as `php://input` is not) – Dave Chen Sep 03 '13 at 01:08
  • 1
    @DaveChen It makes no sense, in any case the source of the information is the remote peer. `php://input` is mainly used to stabilish websocket communication. – Havenard Sep 03 '13 at 01:11
  • @Havenard: [From this example](https://developer.paypal.com/webapps/developer/docs/classic/ipn/ht_ipn/) it uses `php://input`. For websockets, I'd prefer `socket_create/bind/listen`, but that's off topic. – Dave Chen Sep 03 '13 at 01:16
  • `fsockopen` when you are the server? Dont confuse sockets with websockets. – Havenard Sep 03 '13 at 01:17
  • uhh oops I mean `socket_listen` – Dave Chen Sep 03 '13 at 01:18
  • PayPal uses input for its IPNs example for *serialization issues* (its in the comments) it has no security benefit. –  Sep 03 '13 at 01:20
  • noticed that a while ago, but I couldn't edit :(. @Havenard: what do you mean by "It makes no sense`? – Dave Chen Sep 03 '13 at 01:22
  • I meant what Dagon just said. Both `$_POST` and `php://input` will read about the same crap, there is no security benefict. The only difference is that `$_POST` will pre-parse it using HTTP POST standards and `php://input` will deliver you the raw data, in case you need it that way for not using a POST serialization standard or whatever. – Havenard Sep 03 '13 at 01:29
  • The special trick of `php://input` is that it can continue reading data sent from the client even after the server response header is sent. The client can "continue posting", by sort of speaking, so you keep a constant communication between the client and the currect PHP script without performing new HTTP requests. Its called websocket, and is essentially what makes Node.js possible. – Havenard Sep 03 '13 at 01:33