Post form data to PHP then to 3rd party site

I need to allow end users to submit their usernames into an html form and pass that data to a 3rd party site, where they then submit their passwords.  The form needs to have controls in place for cross-site scripting and other malicious types of attacks.  My understanding is that I can have php request the form data, where the input can be sanitized and then use a CURL function to pass the data to the 3rd party.  I'm familiar with how to sanitize input with PHP, but not how to then automatically pass the data to the 3rd party.  I don't necessary have to use CURL, if there is a better method available.

Thank you in advance!

Example form:

<form action="https://thirdpartysite.com/Remote/RemoteLoginApi.aspx?" method="POST">
 <input name="_userName" type="text" maxlength="26" id="_userName" />
 <input name="_buttonContinue" type="submit" value="Continue" id="_buttonContinue"
class="remoteFrame button" />
</form>

Open in new window

kmgishAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dave BaldwinFixer of ProblemsCommented:
It is not clear why you can't go straight to the third-party site as you show in your example form.  ??
1
F PCommented:
I think a simple redirection in the header to the site with a GET variable (anything after the ? in the URL -- in a ?varkey=value&varkey2=value2 ... format) would be the best way to do what you're asking.

So, in PHP after you're done processing the post on your system, do this:

<?php

header('Location: http://www.foobar.com/thePage.php?uname=' . urlencode($_POST['_userName']));
exit;

Open in new window

0
kmgishAuthor Commented:
Hi Dave,

As to pointing it directly to the third party, I supposed that's possible.  But we're a financial institution and I'm reluctant to put any kind of input on our site, without a minimum of server side validation and sanitation.  Plus, in the limited instructions I was given, they ask that we mitigate cross-site scripting.
0
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Ray PaseurCommented:
Not sure whether a GET request would work -- especially if the 3rd party site expects POST.  What is the 3rd party site?  Where is the documentation of their login process/
0
kmgishAuthor Commented:
Frank,  That looks promising.  I'll run some tests and get back to you.

Thanks,

Mark
0
F PCommented:
submit their usernames into an html form and pass that data to a 3rd party site, where they then submit their passwords

He didn't mention what the 3rd party accepts, but the GET is easiest and both it and POST are just as insecure. Depends on the other site whether he needs to cURL, but hopefully not. cURL is a nightmare in my mind, especially if he doesn't already have it installed.
0
F PCommented:
Hopefully they aren't picky, Mark! Lemme know if you need help on a cURL request.
0
kmgishAuthor Commented:
Ray,

Unfortunately, I can't post the documentation, because of confidentiality agreements with our vendor. But it looks like Frank's solution is a GET to My form, then I would sanitize and redirect the data, via a form post to our vendor.  

Mark
0
Dave BaldwinFixer of ProblemsCommented:
"limited instructions"?  I would think you should be getting exact instructions... since you're a 'financial institution'.  And a secure HTTPS connection should be required and if it is a POST to them, then CURL will also be necessary.
0
Ray PaseurCommented:
OK, I don't have enough time left in life to guess about invisible things, so if you can't show us the documentation, I'm out.  Good luck.
0
F PCommented:
Mark,

The confusion may lie in the terminology you're using. A form post cannot be reproduced in PHP without using the cURL library which allows PHP to post to another external URL and allowing you to easily manipulate the POST values. A GET style of request, in which case on my code tells the end user to refresh and redirect their current location and make that request to the 3rd party server on their own and not your PHP making the request. Generating Javascript and passing it to then execute and move, or using header tags that are sent to their browser itself, are the only way PHP can make a browser move through its initialization, i.e., the user has no required action. You can access the value of superglobal variables using the specific POST, GET, or COOKIE individually, or you can have your 3rd party just use $_REQUEST, if they're on PHP, to look through all 3 in case they don't want to write a bunch of excess code. Hopefully that GET header redirection works though.
0
kmgishAuthor Commented:
Hey guys,

Yeah, our vendor is notoriously unhelpful, particularly for a financial institution. (Needless to say, they were already our vendor when I got here)  I do know that they won't accept a GET request, only POST.  So it may be that CURL is my only option.  I just don't understand CURL very well.  

I apologize for being kind of vague with example code and documentation, but I just can't post more than I have already.  So I completely understand if you can't assist with the limited information provided.

FYI, I'll be away from my computer for most of the night and my not respond until morning, PST time.

Thanks again for all the help.

Mark
0
F PCommented:
Just make sure when you make the cURL request, you set this option:

curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);

Open in new window


... and it will be straightforward, provided you already have it installed and enabled.
0
kmgishAuthor Commented:
Frank,

I've got the curl script working to a point, but it looks like the destination doesn't like it.  I can connect to the page, but it hangs forever, with a spinning wheel.  I'm almost certain that the problem is on the side of the vendor and not our site.  I'm going to contact the vendor again and try to get further assistance.  They're just very difficult to work with, so I was hoping to find a working solution here.

Thanks again for everything!!

Mark
0
kmgishAuthor Commented:
BTW, here is the php/curl code on the page that receives the POST from the login form:

$uid = $_POST['uid'];
$uid = htmlspecialchars($uid, ENT_QUOTES);

//set POST variables
$url = "https://www.remotevendor.com/RemoteLoginAPI.aspx?FIORG=568&orgId=568_121141877&FIFID=121141877&brand=568_121141877&appId=ceb";
$fields = array(
'_textBoxUserId' => urlencode($uid)
);

//url-ify the data for the POST
foreach($fields as $key=>$value) { $fields_string .= $key.'='.$value.'&'; }
rtrim($fields_string, '&');

//open connection
$ch = curl_init();

//set the url, number of POST vars, POST data
curl_setopt($ch,CURLOPT_URL, $url);
curl_setopt($ch,CURLOPT_POST, count($fields));
curl_setopt($ch,CURLOPT_POSTFIELDS, $fields_string);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (compatible; MSIE 5.01; Windows NT 5.0)");

//execute post
$result = curl_exec($ch);

//close connection
curl_close($ch);

Open in new window

0
F PCommented:
I'm going to validate the code in a second, but first thing I noticed is that you need to just use urlencode() instead of the foreach loop you have on an array with one element, and all you're looking for is the proper UTF8 encoding for URLs.
0
F PCommented:
With one value you want to post with, I would do this:

$uid = htmlspecialchars($_POST['uid']0, ENT_QUOTES);

//set POST variables
$url = "https://www.remotevendor.com/RemoteLoginAPI.aspx?FIORG=568&orgId=568_121141877&FIFID=121141877&brand=568_121141877&appId=ceb";
$fields = '&_textBoxUserId=' . urlencode($uid);

//open connection
$ch = curl_init();

//set the url, number of POST vars, POST data
curl_setopt($ch,CURLOPT_URL, $url);
curl_setopt($ch,CURLOPT_POST,TRUE);
curl_setopt($ch,CURLOPT_POSTFIELDS, $fields);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);

//execute post
$result = curl_exec($ch);

//close connection
curl_close($ch);

Open in new window


That should work. If it doesn't, I would recommend making this an ajax form which posts the information to your server and handles the request, and then return javascript which will redirect the user with a post on a new form to the vendor. Let me know and I'll give you code and configuration to handle/do all that. Now why can't you redirect them with that user ID as a GET value when the vendor is already using GET values? Without asking them, just try this if the above doesn't work:

<?php

header('Location: https://www.remotevendor.com/RemoteLoginAPI.aspx?FIORG=568&orgId=568_121141877&FIFID=121141877&brand=568_121141877&appId=ceb& _textBoxUserId=' . urlencode($_POST['uid']));
exit;

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
kmgishAuthor Commented:
Hi Frank,

Sorry for waiting so long to reply, but I didn't realize until this morning that you had responded.  The CURL code you posted is resulting in the same behavior, just sits on the page that the form posts to, with a generic error message that's generated from the vendor's site.

I tried your header redirect code and that DOES appear to work.  It takes you to a page where you can enter a user id, on the vendor's site.  

I hope that answers your questions.

Thanks,

Mark
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.