Hello, I've been having some troubles with this function lately.

I'm trying to validate if certain user account exists [from a database outside my website] before proceeding with the script, so in order to do that I'm using the following code:

$account = 'test';
$password = '1234';

$data = array('username' => $account, 'password' => $password);
$content = file_get_contents('http://localhost/misc/login.php', false, stream_context_create( array('http' => array('method' => 'POST', 'header'  => 'Content-Type: application/x-www-form-urlencoded', 'content' => http_build_query($data) ) ) ) );

$find = 'Welcome '.$account.'';
$search = strpos($content, $find);

if($search === false){
echo 'Incorrect login information. Please try again.';
} else {
echo 'Valid user account';
}

No matter what user account/password combination I use, it always fails, even with a known-functional account.

I did some tests to find out what was wrong, and printed the $_POST values to check they were the right ones. Turns out that only the first field/value is being sent, so on the login page, I get the username, but an empty password, same if I re-arrange $data, with the password as the first array value, I get the password on the login screen but not the username.

Any ideas of whats causing this?

Thanks in advance,
-javier

    You should use some tools (e.g. wireshark) to figure out what's happening. I don't know http_build_query, but it'd be interesting to see what it does with given input.

    Does your login.php require any other fields besides username and password? No hidden fields or submit button?

    If login.php is from a site you don't control, this technique is extremely iffy as it could cause your site to break without warning as soon as it's changed.

    Mark

      2 months later

      I know it would break if they change the page, if it does I'll just change the form input names, Im not going to use this for that long anyway so might not even change.

      And yes, it does require other fields, a submit button, still Im only able to send one value.

      Any help on this? I know its an old thread but I never got it working and again I need to do this.

        Almost got it working, except for one thing:

        When I pass the POST values, using http_build_query and stream_context_create, only the first value appears as its supposed to, the rest appear with 'amp;' in the beginning.

        $data = array('account'=>'javier',
        'password'=>'12345',
        'submit'=>'go');

        http_build_query($data); //account=javier&password=12345&submit=go

        instead of using them as $POST['account'], ['password'] and ['submit'], I have to use $POST['account'], ['amp;password'] and ['amp;submit']

        any ideas of how to fix this?

          Don't forget to mark this thread resolved (and perhaps post the solution so that it may benefit those with a similar problem in the future).

            Sure, to get rid of those ugly amps I used:

            $validPOSTvars = htmlspecialchars_decode(http_build_query($this->data));
              Write a Reply...