ajax post request to php $_POST vars empty

Question

I have a nginx rewrite rule that redirects an img src attribute to a php page. Within this php page I'm trying make a GET request, which on success makes a POST request to the same page, sending the data returned from the GET request as the data. Why is the $_POST data empty in the php script? If I hardcode $name = "http://path/to/my/img.png" in the php script the image renders correctly.

<?php 
ini_set('display_errors',1);
ini_set('display_startup_errors',1);
error_reporting(-1);
var_dump($_REQUEST);
//if(isset($_POST['val'])) {


  // open the file in a binary mode

  $name = $_POST['val']; // ALWAYS EMPTY
  $fp = fopen($name, 'rb');

  // send the right headers
  header("Content-Type: image/png");
  header("Content-Length: " . filesize($name));

  // dump the picture and stop the script
  //echo fpassthru($fp);
  header("Location: $name");
  exit;

//}
?>
<html>
<head>
<script type='text/javascript' src='/steal/steal.js'></script>
<script type="text/javascript" src="/plugins/jquery/json2.js"></script>
<script type="text/javascript">
steal('jquery/dom/fixture').then(function(){

$.fixture("GET /event/{code}", function(original, settings, headers){
    return [200, "success", { "img_url":"http://path/to/my/img.png" }, {} ]
})

var strObj = <?php echo json_encode($_REQUEST); ?>;
var str = strObj.q;
var eventCode = str.split('/')[1];
$.ajax({
  url: "/event/"+eventCode,
  success: function(data) {
     var imgUrl = data.img_url
     $.ajax({
        type: 'POST',
        contentType: 'json',
        data: {val:imgUrl},
        success: function(data){
           console.log(data);
        },
        error: function(jqXHR, textStatus, errorThrown){
           console.log(textStatus);
        }
     });
   }
});

});
</script>

</head>
<body>

</body>
</html>

Answer 1

Alright, you've taken things a few steps beyond what is possible.

When the user hits this image in their email, a request is sent to your server asking for that image. None of that javascript is going to make it back to the user because the <img> tag is expecting an image, not an html document. You can tack things on to the outgoing request via something like

<img src="http://yourwebsite.com/tracker.php?val=someimage.png">

and your script will be able to get val out of $_GET but you won't be able to make a POST request for this image from inside an email.

All that $_REQUEST data you're getting at the top there? That's where you get all your email tracking data from. Everything you can get out of there and $_GET is all you're getting.

Afterwards, you need to give them back an image. So heres how you do that.

$val = $_GET['val']; // assuming val contains an image

header('Content-Type: image/png');
readfile('/path/to/your/images/'. $val);

Please be super aware that you need to sanity check $val to make sure its only containing images that you want to be able to see. A potentially malicious user could see this and put something like tracker.php?val=/etc/passwd or something similar and then you've got PHP trying to read your password file. Making sure that images exist and can even be read can be done with the is_readable() function.