The scenario: I have a proboards forum site that I have been running for about 10 years. It is devoted to pre-war guitars, as is my own site notecannons.com
Over the years hundreds of folks have added pictures, variously hosted elsewhere, on the forum as part of discussions. BUT as their pic hosting expires etc the pics vanish. So I wanted to set up our own picture hosting which I have done. But I only want members of the forum to access ‘my’ picture hosting service.
Unfortunately proboards doesn’t have an api for outsiders to see if a valid hane/pw pair is entered except by going through their home login page. However I realised that all I (thought) I needed was to simulate their login form and then simply parse the returned page which either contains “Welcome Guest” if not a valid pair, or “Hey” if a valid pair.
So I copied their form, put in the full path to their form handler, ran it from my localhost, and yes, it worked, I got back the relevant page from their site depending on if I entered my valid name/pw pair or a non-valid pair.
So I tried to emulate the form with cURL, but I always get the ‘Welcome Guest’ page back, even if I use my valid credentials.
I’ve tried using cURL while pointing the form at Michael Schrenk’s invaluable HTTP Request Diagnostic Page page and it returns the right pairs so the post data is going ‘out’ from cURL ok…
I also tried pointing my localhost form at Michael Schrenk’s analyzer which works fine and got the same post data pairs reported.
So, I’m stuck a to what to try next. Both ways seem to send the identical post data pairs to proboard’s server, but their server only seems to read the pairs if submitted from the form, and not via cURL.
My sample form:
<form action="http://schrenk.com/nostarch/webbots/form_analyzer.php" method="post" name="loginform">
<input type="hidden" name="action" value="login2">
<center>
<table width="350" cellpadding="0" cellspacing="2" border="0">
<tr>
<td colspan="2" align="center"><input type="checkbox" name="minutes" value="-1" id="minutesinput" /> <font size="2">Keep me logged in</font></td>
</tr>
<tr>
<td width="175">Username:</td><td width="175"><input type="text" name="username" size="20" maxlength="18"/></td>
</tr>
<tr>
<td width="175">Password:</td><td width="175"><input type="password" name="password" size="20"/></td>
</tr>
<tr>
<td colspan="2"><input type="submit" value=" Login "/></td>
</tr>
</form>
</table>
The same thing submitted via cURL:
<?php
function webpage2txt($url) {
$user_agent = "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"; //spoof a browser
$ch = curl_init(); // initialize curl handle
curl_setopt($ch, CURLOPT_URL, $url); // set url to post to
curl_setopt($ch, CURLOPT_FAILONERROR, 1); // Fail on errors
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); // allow redirects
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); // place resulting page in variable (don't display)
curl_setopt($ch, CURLOPT_PORT, 80); // set the port number
curl_setopt($ch, CURLOPT_TIMEOUT, 15); // times out after 15s
curl_setopt($ch, CURLOPT_USERAGENT, $user_agent); // fake an user agent
curl_setopt($ch, CURLOPT_POST, 1); // use POST, not GET
curl_setopt($ch, CURLOPT_POSTFIELDS, "action=login2&minutes=-1&username=xxxxxx&password=yyyyyy");//this is the post data to added to $url
$document = curl_exec($ch);
// now, strip out everything returned except the raw text to parse
$search = array('@<script[^>]*?>.*?</script>@si', // Strip out javascript
'@<style[^>]*?>.*?</style>@siU', // Strip style tags properly
'@<[\\/\\!]*?[^<>]*?>@si', // Strip out HTML tags
'@<![\\s\\S]*?–[ \ \
\\r]*>@', // Strip multi-line comments including CDATA
'/\\s{2,}/',
);
$text = preg_replace($search, "\
", html_entity_decode($document));
$pat[0] = "/^\\s+/";
$pat[2] = "/\\s+\\$/";
$rep[0] = "";
$rep[2] = " ";
$text = preg_replace($pat, $rep, trim($text));
return $text; //just end up with straight text string to parse ;-)
}
echo webpage2txt("http://schrenk.com/nostarch/webbots/form_analyzer.php");
echo "<br><hr><br>";
curl_close($ch);
?>
I’ve removed the actual forum detail, but I hope that perhaps someone can suggest why the form works, but the identical data sent using cURL fails.
Thank you.