htaccess & variables POST - Apache Web Server forum at WebmasterWorld - WebmasterWorld

Forum Moderators: phranque

Message Too Old, No Replies

htaccess & variables POST

mounaime

8:47 pm on Nov 20, 2013 (gmt 0)

10+ Year Member

Hello,

I have a problem with a _POST variables which is empty after URL rewriting and redirection.

form:

<form name="myform" id="contactForm" action="http://example.com/sendcontact.php" method="post">

<article class="span6">
<textarea id="msg" rows="3" cols="40" name="message" placeholder="Message">Détails</textarea>
</article>

<article class="span6">
<input type="text" name="adresse" id="adresse">
<input size="100" type="text" name="name" id="name" placeholder="Nom">
<input type="text" size="30" id="email" name="email" placeholder="Adresse e-mail">
<button type="submit" name="submit" id="submit" class="btn btn-renova-alt add-top-half">Send message</button>
</article></form>

PHP :

<?php
if($adresse != "" ){

}
else{
if(isset($_POST['submit']))
{
$to = "daniel@example.com";
$subject = "Email from";
$name_field = stripslashes($_POST['name']);
$email_field = stripslashes($_POST['email']);
$message = stripslashes($_POST['message']);
$body = "<html>\n";
$body .= "<body style=\"font-family:Verdana, Verdana, Geneva, sans-serif; font-size:12px; color:#666666;\">\n";
$body .= "From: $name_field <br/> E-Mail: $email_field <br/> Message: <br/> $message";
$body .= "</body>\n";
$body .= "</html>\n";

$headers = 'MIME-Version: 1.0' . "\n";
$headers .= 'Content-type: text/html; charset=utf-8' . "\n";
$headers .= 'Reply-to: '.$name_field. '<'.$email_field.'>' . "\n" ;
$headers .= 'Return-path: '.$name_field. '<'.$email_field.'>' . "\n" ;
$headers .= 'From: MGS < contact@example.com >' . "\r\n";
$name_field = stripslashes($name_field);
$message = stripslashes($message);
mail($to, $subject, $body, $headers);
unset($name_field);
unset($email_field);
unset($message);
}
else
{
echo "Failure!";
}
}
?>

htaccess:

RewriteEngine on
#RewriteCond %{HTTP_HOST} ^example\.com$ [OR]
#RewriteCond %{HTTP_HOST} ^www\.example\.com$
#RewriteRule ^/?$ "https\:\/\/www\.example\.com\/" [R=301,L]
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ [example.com...] [R,L]

The URL is rewritten correctly but I get an empty value for my POST variable.
PS: I don't get none past variables by the form

Do you have a solution to this?
thank you

lucy24

10:52 pm on Nov 20, 2013 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Last things first: Have you got two different canonicalization redirects from two different sources? In a redirect target (whether by mod_alias or mod_rewrite) you never, ever need to \ escape anything. The R default is 302 temporary, so always say R=301 unless you specifically want it to be a 302.

Any conditions involving protocol and/or hostname should be negative, for example

!^(www\.example\.com)?$

The idea is to say "If the request is anything other than the form I want..." If your site is mixed http and https, you'll need two rulesets, one each way.

Now then: The bad news is that the problem is not in the rules themselves. The problem is in the act of redirecting. The http(s) standard has special rules about redirecting POST requests

:: shuffling papers ::

If the 301 status code is received in response to a request other than GET or HEAD, the user agent MUST NOT automatically redirect the request unless it can be confirmed by the user, since this might change the conditions under which the request was issued.
<snip>
When automatically redirecting a POST request after receiving a 301 status code, some existing HTTP/1.0 user agents will erroneously change it into a GET request.

The prose for 302 is even worse.

The good news is that this is a non-problem, because legitimate requests will never be redirected. The page that holds the form should point it to the correct URL. (The same, of course, applies to any internal link. But the ones involving POST can really enforce the rule.)

Incidentally, I was told by someone hereabouts that the all-encompassing form for ensuring a non-empty variable in php is

empty($variable-name)

This covers you both ways, whether the variable is undefined or its value is zero/null.

aakk9999

11:35 pm on Nov 20, 2013 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

I have seen this done (redirecting POST with POST variables), but not within .htaccess.

What I have seen is cases where POST request actually gets to the script. Then this script does redirection, turning POST variables to GET variables (and at that stage the script can also drop unnecessary variables) and the "Location" in headers would be GET with the URL that contains variables sent originally by POST request. In this case your script should be expecting to get variables either in the POST or GET array. This should not be used if the data sent in POST variables is sensitive.

Second way I have seen this done is again via the script being posted to, where the script upon receiving POST request, stores variables into cookie and the headers returned would be redirect headers as well as set cookie headers. In this case your script should be expecting to get variables either in the POST array or from the cookie.

Your particular example

However, in the particular case from your example above (where you are redirecting to https), then it seems to me that you are posting to the wrong URL (http). So fixing your internal POST target to make sure you specify absolute URL with https should suffice.

This is because POST is executed from within your web pages. If the URL link was somewhere else, or typed into address bar, browser would execute GET and not POST.

So (unless you use some kind of a request builder development tool to test), the only way to execute POST with variables is by posting within your script. Get it right in your script and you will never need to redirect POST with variables set.

Which is in fact what Lucy24 has told you above:

The good news is that this is a non-problem, because legitimate requests will never be redirected. The page that holds the form should point it to the correct URL.

There is one way how the POST that would need to be redirected to https could get from the outside to your site - which would be from another site that has form built and executes POST to your website. If you allow this, you should ask your partners (other sites) to post to the correct fully qualified URL - again as Lucy's quote says.

mounaime

2:06 am on Nov 21, 2013 (gmt 0)

10+ Year Member

Thank you very much lucy24 & aakk9999
Thank you so much for all your help I really appreciate it , it's been two days that I look for a solution to that and thanks to you my problem is solved and my form works properly with the recuperation of _POST, Thank you so much really you saved my life .
Very good communication, helpful and quick support. I was able to find the right solution by the answer you provided. Short in words, 10 stars out of 10. Thanks & Best Regards!