headzoo
asked on
Apache, PHP, and Missing POST Variables
The $_POST array is always empty after submitting a form.
I'm using the Zend Framework (although this problem doesn't appear to be related). I have an .htaccess in the root directory. It looks like this:
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . index.php [L]
The URL /auth/login (path doesn't really exist. It's rewrite magic) shows a login form, which looks like this:
.. html ..
<form id="login_form" action="/auth/login/" method="post">
<div>
<label for="username">Username</l
<input type="text" id="username" name="username" value=""/>
</div>
<div>
<label for="password">Password</l
<input type="password" id="password" name="password" value=""/>
</div>
<div id="formbutton">
<input type="submit" name="login" value="Login" />
</div>
</form>
.. html ..
Submitting the form ends up with an empty $_POST array. In the root directory's index.php (Where the rewrite rule is sending all requests), I've added to the top:
print_r($_POST)
And it's always Array().
Some interesting things that do work. If I change the form to this:
<form id="login_form" action="/test.php" method="post">
And in test.php I have print_r($_POST), I _do_ get the POST variables. If I create the physical directory /auth/login/index.php (with the same print_r), and change the form to this:
<form id="login_form" action="/auth/login/index.
I _do_ get the POST variables. However if I leave the form as this:
<form id="login_form" action="/auth/login/" method="post">
I _don't_ get the POST variables. In a nutshell, it seems like I only get the POST vars if I specify the name of a real file in the form action. However I can't specify a filename, because the path /auth/login doesn't really exist.
I'm using the Zend Framework (although this problem doesn't appear to be related). I have an .htaccess in the root directory. It looks like this:
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . index.php [L]
The URL /auth/login (path doesn't really exist. It's rewrite magic) shows a login form, which looks like this:
.. html ..
<form id="login_form" action="/auth/login/" method="post">
<div>
<label for="username">Username</l
<input type="text" id="username" name="username" value=""/>
</div>
<div>
<label for="password">Password</l
<input type="password" id="password" name="password" value=""/>
</div>
<div id="formbutton">
<input type="submit" name="login" value="Login" />
</div>
</form>
.. html ..
Submitting the form ends up with an empty $_POST array. In the root directory's index.php (Where the rewrite rule is sending all requests), I've added to the top:
print_r($_POST)
And it's always Array().
Some interesting things that do work. If I change the form to this:
<form id="login_form" action="/test.php" method="post">
And in test.php I have print_r($_POST), I _do_ get the POST variables. If I create the physical directory /auth/login/index.php (with the same print_r), and change the form to this:
<form id="login_form" action="/auth/login/index.
I _do_ get the POST variables. However if I leave the form as this:
<form id="login_form" action="/auth/login/" method="post">
I _don't_ get the POST variables. In a nutshell, it seems like I only get the POST vars if I specify the name of a real file in the form action. However I can't specify a filename, because the path /auth/login doesn't really exist.
ASKER
@hernst42 - Same. $_POST is still empty.
enable the rewritelog and it's verbosity to check what excatly is going on. Seems like it's doing a external rewrite where to post-parameters get lost.
ASKER
@hernst42 - I did try that, and I don't see anything unusual. But after hours of fooling around, and trying various rewrite things, I'm not convinced the problem lies with in mod_rewrite.
If I create that path and file /auth/login/index.php, and delete the .htaccess file altogether, I still have the issue. Using action="/auth/login/" doesn't work, while action="/auth/login/index.
If I create that path and file /auth/login/index.php, and delete the .htaccess file altogether, I still have the issue. Using action="/auth/login/" doesn't work, while action="/auth/login/index.
How is you DirectoryIndex defined? Does it contain index.php at first or do you have also a index.html there. Can you post the rewrite log?
ASKER
I wasn't sure if it mattered or not, but the site is using SSL with an https URL. I tried some things with a non-SSL virtualhost on my server, and everything worked fine.
hm got it working with this. Your problem might be the missing Rewritebase:
RewriteEngine On
RewriteBase /~hernst/ee/22893159
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . index.php [PT,L]
test.html:
<form action="https://emu/~hernst/ee/22893159/auth/login/" method="post">
<input name="foo" value="bar" type="submit">
</form>
index.php
<pre>
<?php
var_dump($_POST);
var_dump($_REQUEST);
phpinfo();
RewriteEngine On
RewriteBase /~hernst/ee/22893159
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . index.php [PT,L]
test.html:
<form action="https://emu/~hernst/ee/22893159/auth/login/" method="post">
<input name="foo" value="bar" type="submit">
</form>
index.php
<pre>
<?php
var_dump($_POST);
var_dump($_REQUEST);
phpinfo();
it's your action attribute
action="/auth/login/"
it has to point to a specific file with "POST",
point it directly to the php file receiving the form data.
your action attribute works fine with "GET".
best practice you should always put a specific file.
action="/auth/login/"
it has to point to a specific file with "POST",
point it directly to the php file receiving the form data.
your action attribute works fine with "GET".
best practice you should always put a specific file.
ASKER
@nplib - I can't point the form towards a specific file, because the path "/auth/login" doesn't really exist. So "auth/login/somefile.php" really, really doesn't exist. It only exists in rewrite-land.
then change your form from post to get.
cause there isn't really a way around that.
In order for post to work it has to post to a specif file.
What about the file you are running the
print_r($_POST);
command from? can't you point your form to that?
cause there isn't really a way around that.
In order for post to work it has to post to a specif file.
What about the file you are running the
print_r($_POST);
command from? can't you point your form to that?
ASKER
@hernst42 - I tried using the RewriteBase, and it doesn't work. I really don't think this is a rewrite issue. Like I said, I turned off mod_rewrite, and the issue still persists in my test scripts.
Right now what I'm looking at, is life is good on my regular http sites, but I still have this issue on my https site. So..
1) Either HTTPS has issues with transporting POST vars when a filename isn't specified. OR...
2) There is a setting in Apache -- specifically in my ssl.conf -- that is messing things up.
I'm leaning towards #2. Can anyone think of an Apache setting that would mess things up?
Right now what I'm looking at, is life is good on my regular http sites, but I still have this issue on my https site. So..
1) Either HTTPS has issues with transporting POST vars when a filename isn't specified. OR...
2) There is a setting in Apache -- specifically in my ssl.conf -- that is messing things up.
I'm leaning towards #2. Can anyone think of an Apache setting that would mess things up?
ASKER
@nplib - Using hacks is my second route, and I will once I've exhausted all options here. It wouldn't bother me so much, except it works just fine on my local PC, and it works just fine on my server under a non-ssl site.
And since it's a login form, using GET isn't an option. :)
And since it's a login form, using GET isn't an option. :)
My simple posted example works also with SSL. AFAIK there are no special settings we made for apache. Can't think of an apache directive which discards posts information.
Can you post the SSL-configuration part of your apache?
Can you post the SSL-configuration part of your apache?
<form action="https://emu/~hernst/ee/22893159/auth/login/" method="post">
<input name="foo" value="bar" type="submit">
</form>
this may be worth mentioning
but usually post won't post the value of the submit button.
you could try putting some else there for testing
<form action="https://emu/~hernst/ee/22893159/auth/login/" method="post">
<input name="something" value="bob" />
<input name="foo" value="bar" type="submit">
</form>
and see what happens.
<input name="foo" value="bar" type="submit">
</form>
this may be worth mentioning
but usually post won't post the value of the submit button.
you could try putting some else there for testing
<form action="https://emu/~hernst/ee/22893159/auth/login/" method="post">
<input name="something" value="bob" />
<input name="foo" value="bar" type="submit">
</form>
and see what happens.
ASKER
My ssl.conf (with comments removed to keep it short) http://pastebin.com/m5b223590
@nplib:
Of course will post include the value of the submit-button if you name the button. You can also have multiple submit-buttons and distinguish by the posted value which submit-button the user pressed. As already told the posted example worked on my apache-configuration (which is just a Zend-Core installation with apache 2.2)
Of course will post include the value of the submit-button if you name the button. You can also have multiple submit-buttons and distinguish by the posted value which submit-button the user pressed. As already told the posted example worked on my apache-configuration (which is just a Zend-Core installation with apache 2.2)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
@hernst42 - Yes, the plot thickens! Commenting out those directives fixes everything.. sort of.
When I comment out those lines, my POST vars finally start working. There's a problem though: I kind of need those lines. They block access to the site, unless the visitor has a public key certificate loaded up in their browser. This is an "internal admin" site, where access is limited.
Hrm..
When I comment out those lines, my POST vars finally start working. There's a problem though: I kind of need those lines. They block access to the site, unless the visitor has a public key certificate loaded up in their browser. This is an "internal admin" site, where access is limited.
Hrm..
ASKER
Well, the SSLVerifyClient issue seems to be a whole different can of worms. So I'll accept hernst42's solution, and look for answers to the client cert problem.
ASKER
Update: In case anyone else has this same problem.
Everything works fine if you put the "SSLVerifyClient require" and "SSLVerifyDepth 1" _outside_ of the <Directory> node. There appears to be a bug in either Apache or PHP, where PHP doesn't get the POST vars when using SSLVerifyClient inside a <Directory> node.
Everything works fine if you put the "SSLVerifyClient require" and "SSLVerifyDepth 1" _outside_ of the <Directory> node. There appears to be a bug in either Apache or PHP, where PHP doesn't get the POST vars when using SSLVerifyClient inside a <Directory> node.
RewriteRule . index.php [PT,L]