0

I want to make a http post to an outside url using php. By outside url I mean the url i not hosted on my servers.The url is called in an iframe. I need to know if this is technically possible to do this.

I tried doing this using curl but curl creates its own session with the remote server while I want to use the session which the browser has already created.

Please let me know your thoughts on this.

  <?php

php code to make http post.

        ?>


    <iframe src="outside url to be posted" height="100" width="100"/>

The outside url is google calender, so when I call it, if the user is already logged into google, his calender should display and I need to make a post to the calender using http post to save a calender event.

I hope this makes myself more clear on what am trying to achieve.

Sumit Ghosh
  • 3,264
  • 4
  • 40
  • 59
  • you want to use the session from your site with a different site? – Jase Mar 30 '11 at 20:31
  • What do you mean, **want to use the session which the browser has already created.**? Either the browser posts, that means the user, and not PHP (javascript is possible). Or PHP posts, that means your server posts, not the user. – Konerak Mar 30 '11 at 20:32
  • @konerak, yes the user posts and I want to keep him logged in the iframe. So I think JS would be a good solution here. – Sumit Ghosh Mar 30 '11 at 20:36

3 Answers3

2

Update - Current Answer

After the update to your question, here's a different answer that I think addresses your issue more closely.

I think the question you are asking involves doing things with a user's credentials on another site. This is dancing dangerously close to Cross-site Request Forgery.

If you only do the POSTing when the user requests that you do it, it's a little better (I guess) but still inadvisable.

Why don't you use the Google Calendar API to do what you need?

Previous Answer

You need to tell cURL to use a particular session. Because PHP is managing the session, you'll also need to tell php to stop writing to the session while cURL uses it.

Try this:

$strCookie = 'PHPSESSID=' . $_COOKIE['PHPSESSID'] . '; path=/';
session_write_close();
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt( $ch, CURLOPT_COOKIE, $strCookie );
$response = curl_exec($ch);
curl_close($ch);

$_COOKIE['PHPSESSID'] will be the identifier for your PHP session, and $url will be the URL you've pulled out of the iframe.

This is taken virtually verbatim from this blog post. It was one of the first links on Google, so I didn't do a lot of extra digging.

I've done a bit of messing with cURL and PHP sessions, so this looks right based on what I remember.

Edit:

By the way, you should reference this SO question for the method to do POSTs with cURL. I assume you at least have some idea of how to do this, but there it is in case you need a refresher.

Also (in case it's not clear already), you can run as many

curl_setopt($handle, (CURL OPTION), (CURL VALUE));

lines as you need to configure cURL the way you need it.

e.g.:

  • POST vals
  • Session settings
  • etc., etc.

Good luck!

Community
  • 1
  • 1
rockerest
  • 10,412
  • 3
  • 37
  • 67
  • 3
    Wouldn't it be great if everyone were to explain their downvotes for the rest of the community? That would just be swell. "Whenever you encounter an egregiously sloppy, no-effort-expended post, or an answer that is clearly and perhaps dangerously incorrect, vote it down! [...] Voting down is not something we want you to take lightly." Please explain how posts you downvote are "egregiously sloppy", "no-effort-expended," or "clearly or dangerously wrong" so that everyone benefits. – rockerest Mar 30 '11 at 20:38
  • This looks interesting, comes from an external source and the source is quoted correctly. I've never seen or used shown option on php&curl before, so I'm interested if this would work and why it was downvoted... nice find imho. – Konerak Mar 30 '11 at 20:42
  • This seems like a good solution I have marked it as an answer, thx for the heads up mate. I will read the blog post for more details. – Sumit Ghosh Mar 30 '11 at 20:49
  • 1
    @Sumit @Konerak I've updated my answer to add a little info, if you're still interested in pursuing this. – rockerest Mar 31 '11 at 00:50
  • @rockerest,after tinkering which your method for some hrs,I conclude it wont work in my case. As the user session is between browser and google, so there is no way I can read that session on my server. The only approach that might work is an ajax/js solution and Iam working on one right now. I have also updated my post btw. – Sumit Ghosh Mar 31 '11 at 03:26
  • So you want cURL to hijack the browser session from ANOTHER server? :O Pardon my bluntness, but - yes, [XSRF](http://en.wikipedia.org/wiki/Cross-site_request_forgery) appears to be your only option. – rockerest Mar 31 '11 at 03:30
  • @rockerest, this may be called XSRF idk, but its put to a good use and not some attack per se. And yes am doing this with user's full permission and he is being asked to loggin to his google account and we are telling him to read that we are n't storing any passwords. Also, this is not possible via API, since there are some functions which we are going which are not exposed by API yet. My bad I would say that I have to go this way. – Sumit Ghosh Apr 01 '11 at 02:29
1

It's javascript, not php.

<form id="post_form" method="post" target="post_frame">
<input type="hidden name="field1" value="value1>
.... other fields
</form>
<script type="text/javascript">
  document.getElementById("post_form").submit();
</script>
 <iframe name="post_frame" height="100" width="100"/>
NickSoft
  • 3,215
  • 5
  • 27
  • 48
-1

right off the file_get_contents man page:

<?php
// Create a stream
$opts = array(
  'http'=>array(
    'method'=>"POST",
    'header'=>"Accept-language: en\r\n" .
              "Cookie: foo=bar\r\n"
  )
);
//put post content into cookie part
$context = stream_context_create($opts);

// Open the file using the HTTP headers set above
$file = file_get_contents('http://www.example.com/', false, $context);
?>
<div><?=$file?></div>

not rly an iframe but the same idea

Naftali
  • 144,921
  • 39
  • 244
  • 303