Accessing Raw POST via php://input for forms with Content Type multipart/form-data not working

Question

We have a proxy PHP script and access POST form data via

$postPayload = file_get_contents('php://input');

which usually works.

(The reason to not use $_POST is that we sometimes have duplicate form input names which PHP suppresses)

Now we have a form with

In this case file_get_contents('php://input'); returns an empty string.

It can be reproduced with

curl 'http://localhost/script.php' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H 'Referer: http://localhost/script.php?commandCode=NO_AUTH_REGIST_OPEN_USER&lang=de' -H 'Origin: http://misumi-europe.com.orange.imi.local' -H 'Upgrade-Insecure-Requests: 1' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36' -H 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryk3IVneARm3kqJ0fs' --data-binary $'------WebKitFormBoundaryk3IVneARm3kqJ0fs
Content-Disposition: form-data; name="commandCode"

NO_AUTH_NEXT
------WebKitFormBoundaryk3IVneARm3kqJ0fs
' --compressed

How can I access the RAW POST data in this case?

PiTheNumber · Accepted Answer

multipart/form-data is not send to php://input, only to $_POST.

In php.ini you can set enable-post-data-reading=off to change this but $_POST will always be empty. See http://php.net/manual/en/ini.core.php#ini.enable-post-data-reading

You might set it for single pages using .htaccess

php_value  enable-post-data-reading off

There is also an apache hack:


    SetEnvIf Content-Type ^(multipart/form-data)(.*) NEW_CONTENT_TYPE=multipart/form-data-alternate$2 OLD_CONTENT_TYPE=$1$2
    RequestHeader set Content-Type %{NEW_CONTENT_TYPE}e env=NEW_CONTENT_TYPE

Accessing Raw POST via php://input for forms with Content Type multipart/form-data not working

Answers (2)

Related Questions