3

Background:

I have three application I maintain with automatic error tracking (via email with error details). Two of these are written in java and on php.

Problem:

Every once and awhile I get error tracking messaging of a missing id required for an action page. The error tracking include content of the request which is always empty. The request is always of type POST and it could be generated by a simple page or AJAX form post submission.

[EDIT] No file upload involved. It is a simple form method="POST".

I cannot see any special correlation between a browser type and the empty requests. I cannot obviously reproduce this error on development or testing platforms since it is sort of random.

I suspect that this problem also affect other platforms such as .NET

Any ideas of what can cause a form to be submitted completely empty and how to best address it other than simply throw an error if required parameters are missing (more of IllegalStateException since these action pages are never accessed by URL).

Pierre
  • 1,329
  • 2
  • 12
  • 21
  • I'm confused is this related to PHP or JSP? – AJ. May 27 '11 at 13:17
  • 1
    Are you uploading files at the same time. That could cause empty POST – Layke May 27 '11 at 13:18
  • 2
    are you sure they are legit users? is it possible that someone is trying to crawl/auto submit forms on your site? do you also get referrers in your alerts? that may shed some light – Sabeen Malik May 27 '11 at 13:20
  • 2
    I agree with @Laykes, uploading large files might be a problem. If a file (i.e., encoded contents of a file rather than size of a file on disk) is larger than `post_max_size`, `$_POST` will be empty. Error occurs before processing PHP script, therefore neither custom error handler, nor `error_reporting()`, `ini_set('display_errors', 0)` or other script is executed before it happens. – binaryLV May 27 '11 at 13:26
  • updated problem to state that no file upload is included. and yes these are legit users that are authenticated. – Pierre May 27 '11 at 14:08
  • @AJ I get the same problem for PHP and servlet/jsp based app so I figured I ask both communities. – Pierre May 27 '11 at 14:12
  • Okay, well another issue could be headers. Are your form headers set to multipart/form-data. If so that could cause a problem if you are submitting via AJAX and you do not set up your Content-Dispositions correctly. – Layke May 27 '11 at 14:18
  • @binaryLV Had a similar issue myself and post_max_size was indeed the issue. Thanks. – ABailiss Jun 07 '11 at 16:56

1 Answers1

2

When doing a POST request, PHP fills variable $_SERVER['CONTENT_LENGTH'] with the size of posted data. It is not present for GET requests.

If posted data is too large (larger than a value of post_max_size directive in PHP) or has invalid structure, $_POST array is empty (because PHP cannot decode posted data), but $_SERVER['CONTENT_LENGTH'] is still being filled.

I believe JSP should have similar stuff.

If you don't send contents of $_SERVER (or JSP equivalent), I'd advise to start doing it. If you do, then check it's CONTENT_LENGTH value (or JSP equivalent).

Additionally, in PHP, you might enable always_populate_raw_post_data directive and include $HTTP_RAW_POST_DATA in your e-mail message. It does not work with forms that have enctype='multipart/form-data' (forms that are used for uploading files), but an answer to another SO question describes a workaround for this.

Community
  • 1
  • 1
binaryLV
  • 9,002
  • 2
  • 40
  • 42
  • The data content is not large for these posts (e.g. registration and profile forms). The form is not a multipart. Error tracking aside, what could possibly cause this behavior? I know from user's feedback that they have clicked on the submit button when they get the error page for no special reason. Even if you submit a blank you will get empty string attached to the name of input not a completely blank post body. – Pierre May 27 '11 at 14:12
  • If possible, try enabling `always_populate_raw_post_data` and include `$HTTP_RAW_POST_DATA` in your error tracking email. Alternatively, you can use `file_get_contents('php://input')` instead of `$HTTP_RAW_POST_DATA`, it should work without enabling `always_populate_raw_post_data`. Value of `$_SERVER['CONTENT_LENGTH']` should also be examined. – binaryLV May 27 '11 at 14:17