Where to find a changing PHP POST data

Question

I logged in with the following code (I summarized it with the most important parts):

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_parameters);
$result = curl_exec($ch);
curl_close($ch);

In order to know what $post_parameters I had to enter, I used httpfox to analyze the HTTP traffic when I log in manually on my browser. The POST Data showed to be like this:

auth_key=880ea6a14ea49e853634fbdc5015a024&referer=http%3A%2F%2Fwww.website.net%2F&ips_username=myUsername&ips_password=myPassword

So I just did this on my script:

$post_parameters = "auth_key=".$authKey."&referer=".$referer."&ips_username=".$username."&ips_password=".$password;

I planned to do the same with the function to simulate the topic post, but I have the problem that when I post something manually with the browser and analyze the traffic to find the POST Data, instead of looking like the one for the log in, it looks like this:

-----------------------------20170174379164 // <-- Unknown number
Content-Disposition: form-data; name="st"

0
-----------------------------20170174379164
Content-Disposition: form-data; name="app"

forums
-----------------------------20170174379164
Content-Disposition: form-data; name="module"

post
-----------------------------20170174379164
Content-Disposition: form-data; name="section"

post
-----------------------------20170174379164
Content-Disposition: form-data; name="do"

new_post_do
-----------------------------20170174379164
Content-Disposition: form-data; name="s"

5124060eb013dfa845b1e6b67c3fbfa7 //Changing number which can be found on the previous source code
-----------------------------20170174379164
Content-Disposition: form-data; name="p"

0
-----------------------------20170174379164
Content-Disposition: form-data; name="t"
.
.
.

I want to do the same I did in the other case, that would be something like this:

$post_parameters = "-----------------------------$boundaryNumber
Content-Disposition: form-data; name="st"

0
-----------------------------$boundaryNumber
Content-Disposition: form-data; name="app"

forums
-----------------------------$boundaryNumber
Content-Disposition: form-data; name="module"

post
-----------------------------$boundaryNumber
Content-Disposition: form-data; name="section"

post
-----------------------------$boundaryNumber
Content-Disposition: form-data; name="do"

new_post_do
-----------------------------$boundaryNumber
Content-Disposition: form-data; name="s"

$changingNumber 
-----------------------------$boundaryNumber
Content-Disposition: form-data; name="p"

0
-----------------------------$boundaryNumber
Content-Disposition: form-data; name="t"
.
.
."

but I have the problem that I dont know what number will appear on the boundary line so that I could just put $boundaryNumber everytime it appears on the code. Is there a way I can know what number will appear? If there isn't, can I place the number I want or it has to be a specific number so that the POST works?

I hope I explained myself better this time.

Post the code that you've tried to access and change that specific POST parameter. We won't do it for you. — Brxxn, Aug 10 '17 at 18:51
The lines with the number are the boundary lines, usually assigned somehow from the client sending the request. For another command line based cURL example See: https://stackoverflow.com/a/10765244/1144627 We would need to see your cURL request to help you further. IIRC PHP cURL automatically assigns the boundaries for you. — Will B., Aug 10 '17 at 18:53
Sorry if I didn't explained myself propertly. I have logged in on a page with cURL and now I'm trying to post on it with CURLOPT_POST. I haven't coded the post function because I'm still trying to find out how to know the value of that number on the boundary lines. For that, I'm posting on the server manually (using a browser) and checking the HTTP traffic that that manual post produces to scrap it and look for it, but I guess that it can't be found that way. Thanks for the link @fyrye but I'm using Windows and I think that the question you sent me was for Linux. — Luiscri, Aug 10 '17 at 19:18
The problem is this. On httpfox I scanned the traffic when I posted a topic manually, and the POST file had a POST Data which looked as the code I posted on my question. If I wanna recreate that POST on cURL with `curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);` I need to know that number on the boundary line before I send it, so that I can edit the $post_data var as a manual post would do. How can I know what number will appear there when I send the post on cURL? @fyrye — Luiscri, Aug 10 '17 at 19:29
@Luiscri My link was just a demonstration of a general cURL request with custom boundaries. If you're looking to send a request with specific boundaries. I believe you need to set `CURLOPT_HTTPHEADER, ['Content-Type: multipart/form-data; boundary=' . $boundary]` Your `php_curl.dll` file would then control the placement of the boundaries for each post field you supplied, of which are auto-generated if omitted in your cURL request. We can not know/help more without seeing your PHP code, as the headers of request containing information doesn't point us toward a resolution for you. — Will B., Aug 10 '17 at 19:39
I edited the whole question, I hope I explained it better this time. Thanks for your time and answers sir. @fyrye — Luiscri, Aug 10 '17 at 20:40

hanshenrik · Accepted Answer · 2017-08-11T14:02:00.587

2 obvious problems, you don't urlencode your data, so if the data contains & or = or spaces or ÆØÅ or a bunch of other characters, you'll send the wrong data.

second problem is that your curl code use application/x-www-urlencoded encoding, but your browser use multipart/form-data-encoding in the POST request body.

now with curl_, in order to use use multipart/form-data-encoding, just give CURLOPT_POSTFIELDS an array, and curl will multipart/form-data-encode it for you :)

$post_parameters = array (
        "auth_key" => $authKey,
        "referer" => $referer,
        "ips_username" => $username,
        "ips_password" => $password 
);

edit: fixed some code-breaking typos, had = in the array key name when converting it from urlencoded to php array

as for the confusion about the boundary string, its you, yourself, that decide what the boundary string is. usually, its just a bunch of random characters. its part of the multipart/form-data encoding... but you don't have to worry about that, as curl will make a boundary string for you automatically, and you don't need to know how it works or what it is, curl will take care of it for you.

Thanks man, I had a problem of concept, but know you clarified all. Thanks again for your answer. — Luiscri, Aug 14 '17 at 18:15

Where to find a changing PHP POST data

1 Answers1