Why are POST and GET empty?

Question

I post data to a PHP file. The POST and GET data is empty, but php://input perfectly shows the posted data.

How is this possible? And what can I do to check / fix this?

This is my code:

    const myJSON = JSON.stringify(data); 
    let result   = myJSON.replace("[{","{");
    result       = result.replace("}]","}");
    result       = result.replace(/},{/g,",");

    var user     = '{{ Auth::user()->name }}';
    var l        = document.getElementById("languages");
    var langcode = l.value;
    var params   = 'user='+user+'&lang='+langcode+'&data='+result;
    var url      = "/public/test.php";
    
    var xhr = new XMLHttpRequest();
    xhr.open("POST", url, true);
    xhr.setRequestHeader('Content-type', 'application/json');
    xhr.send(params);

`xhr.setRequestHeader('Content-type', 'application/json');` puts the data in the body. That is easily to check through your browser's developer tools — Nico Haase, Feb 04 '22 at 19:25
You are saying you are posting JSON to the server and it is not JSON — epascarello, Feb 04 '22 at 19:27
Thanks guys. Indeed I made a mistake. Changed the content type into application/x-www-form-urlencoded; charset=UTF-8. Now it works. — MikeMynis, Feb 04 '22 at 19:29
See also https://stackoverflow.com/questions/8893574/php-php-input-vs-post — James, Feb 04 '22 at 19:32

score 0 · Answer 1 · answered Feb 04 '22 at 19:28

0

Ah, solution:

Change:

xhr.setRequestHeader('Content-type', 'application/json');

into

xhr.setRequestHeader('Content-type', 'application/x-www-form-urlencoded; charset=UTF-8');

answered Feb 04 '22 at 19:28

MikeMynis

19
3

score 0 · Answer 2 · answered Feb 04 '22 at 22:27

I know you have found a solution to your question, but I'd like to point out that you are doing some very dangerous things here, that in the best case will corrupt your data and in the worst case make your site vulnerable to script injection.

If you are not sending JSON, then don't use JSON.stringify and then manipulate the string like that. If the data contains those strings you are replacing, then that will corrupt it, and if that data is user input allow script injection.
I assume {{ Auth::user()->name }} is some server-side code. If the user name contains a quote or anything that is not a valid JavaScript string, this will break the JavaScript and possibly allow script injection by a malicious user. Also: Why are you sending the user name back in the request? The server already knows the username. This seems that it would allow a malicious use to read or write data belonging to another user, if the request is manipulated.
Don't build query strings like that yourself without escaping the data. This break your script if it contains characters that aren't allowed in URLs, which it does: { and } are not valid charcters in URLs. Use for example use the URLSearchParams API to build a properly escaped query string.
Finally, it not really security related, but the newer Fetch API is easier to use and more powerful than the older XMLHttpRequest.

Why are POST and GET empty?

2 Answers2