0

I am trying to write a program such that I can use $_POST['id'] to specify an ID and to write the rest of the binary data into "php://input". My current Java code looks like:

HttpURLConnection connection = (HttpURLConnection) new URL("https://example.com/write?id="+id).openConnection();
connection.setRequestMethod("POST");
connection.setDoInput(true);
connection.setDoOutput(true);
connection.addRequestProperty("Content-Type", "application/bin");
DataOutputStream os = new DataOutputStream(connection.getOutputStream());
os.flush();
gameLevel.writeCompressedBinary(os);
os.close();
BufferedReader reader = new BufferedReader(new InputStreamReader(connection.getInputStream()));
String result = reader.readLine();
reader.close();
return result;

Problem is, $_POST['id'] does not exist when processed by the PHP file, but $_REQUEST['id'] does. I do not want 'id' to be visible over a GET request. What would be the best way to accomplish what I'm trying to do?

I can't use any 3rd party libraries to accomplish this.

Hello234
  • 175
  • 2
  • 12
  • 1
    PHP only populates $_POST, when the request content type is either `application/x-www-form-urlencoded` or `multipart/form-data`. – CBroe Nov 12 '20 at 09:11
  • _“I do not want 'id' to be visible over a GET request.”_ - security by obscurity does never work. Whether you send that value via GET or POST, makes very little difference. – CBroe Nov 12 '20 at 09:12
  • You _could_ send the value via a custom HTTP header, and then get it out from there. But again, do not be so naive to think that would consider a “security improvement” in any way, shape or form. – CBroe Nov 12 '20 at 09:13
  • I stated that because I am told that POST should be used for stuff like this. It's all over HTTPS so afaik the data would be encrypted anyways? If it doesn't make a difference I guess I could just stick to using $_REQUEST – Hello234 Nov 12 '20 at 18:24
  • 1
    The decision between GET and POST should be based mainly on whether data gets requested, or changed/deleted/modified; see https://stackoverflow.com/questions/46585/when-do-you-use-post-and-when-do-you-use-get for a more in-depth explanation. But that’s not a thing that absolutely _must_ be followed, some cases justify exceptions to the “rule”. If you want to send data as `application/bin` here, you can not really mix other data in there easily, so using either GET or an HTTP header to transport the ID is acceptable. And yes, HTTPS takes care of no one in the middle being able to read the data. – CBroe Nov 13 '20 at 07:22
  • That's good to know, thanks for the information! – Hello234 Nov 14 '20 at 02:26

0 Answers0