Where to find a changing PHP POST data

Question

I logged in with the following code (I summarized it with the most important parts):

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_parameters);
$result = curl_exec($ch);
curl_close($ch);

In order to know what $post_parameters I had to enter, I used httpfox to analyze the HTTP traffic when I log in manually on my browser. The POST Data showed to be like this:

auth_key=880ea6a14ea49e853634fbdc5015a024&referer=http%3A%2F%2Fwww.website.net%2F&ips_username=myUsername&ips_password=myPassword

So I just did this on my script:

$post_parameters = "auth_key=".$authKey."&referer=".$referer."&ips_username=".$username."&ips_password=".$password;

I planned to do the same with the function to simulate the topic post, but I have the problem that when I post something manually with the browser and analyze the traffic to find the POST Data, instead of looking like the one for the log in, it looks like this:

-----------------------------20170174379164 // <-- Unknown number
Content-Disposition: form-data; name="st"

0
-----------------------------20170174379164
Content-Disposition: form-data; name="app"

forums
-----------------------------20170174379164
Content-Disposition: form-data; name="module"

post
-----------------------------20170174379164
Content-Disposition: form-data; name="section"

post
-----------------------------20170174379164
Content-Disposition: form-data; name="do"

new_post_do
-----------------------------20170174379164
Content-Disposition: form-data; name="s"

5124060eb013dfa845b1e6b67c3fbfa7 //Changing number which can be found on the previous source code
-----------------------------20170174379164
Content-Disposition: form-data; name="p"

0
-----------------------------20170174379164
Content-Disposition: form-data; name="t"
.
.
.

I want to do the same I did in the other case, that would be something like this:

$post_parameters = "-----------------------------$boundaryNumber
Content-Disposition: form-data; name="st"

0
-----------------------------$boundaryNumber
Content-Disposition: form-data; name="app"

forums
-----------------------------$boundaryNumber
Content-Disposition: form-data; name="module"

post
-----------------------------$boundaryNumber
Content-Disposition: form-data; name="section"

post
-----------------------------$boundaryNumber
Content-Disposition: form-data; name="do"

new_post_do
-----------------------------$boundaryNumber
Content-Disposition: form-data; name="s"

$changingNumber 
-----------------------------$boundaryNumber
Content-Disposition: form-data; name="p"

0
-----------------------------$boundaryNumber
Content-Disposition: form-data; name="t"
.
.
."

but I have the problem that I dont know what number will appear on the boundary line so that I could just put $boundaryNumber everytime it appears on the code. Is there a way I can know what number will appear? If there isn't, can I place the number I want or it has to be a specific number so that the POST works?

I hope I explained myself better this time.

Answer 1

2 obvious problems, you don't urlencode your data, so if the data contains & or = or spaces or ÆØÅ or a bunch of other characters, you'll send the wrong data.

second problem is that your curl code use application/x-www-urlencoded encoding, but your browser use multipart/form-data -encoding in the POST request body.

now with curl_, in order to use use multipart/form-data -encoding, just give CURLOPT_POSTFIELDS an array, and curl will multipart/form-data -encode it for you :)

$post_parameters = array (
        "auth_key" => $authKey,
        "referer" => $referer,
        "ips_username" => $username,
        "ips_password" => $password 
);

edit: fixed some code-breaking typos, had = in the array key name when converting it from urlencoded to php array

as for the confusion about the boundary string, its you, yourself, that decide what the boundary string is. usually, its just a bunch of random characters. its part of the multipart/form-data encoding... but you don't have to worry about that, as curl will make a boundary string for you automatically, and you don't need to know how it works or what it is, curl will take care of it for you.