Can user send HTTP_RAW_POST_DATA to my site?

Question

A stupid question but I am a little confused. I use pubsubhubbub and check for a new information with if(isset($_HTTP_RAW_POST_DATA)). I check if user is logged with:

if(isset($_SESSION['user'])) {
 //logged
}

Can a user send a HTTP_RAW_POST_DATA?

Answer 1

So, basically anyone who sends an HTTP POST request to your callback will actually send a $HTTP_RAW_POST_DATA. Many languages and framework have libraries to parse this into HTTP POST params. In the context of PubSubHubbub, the body is NOT made of params, so you have to use the lower level $HTTP_RAW_POST_DATA, as parsing the XML as params would not make any sense.

If you're trying to secure your callback URL, there are multiples ways to do it:

• Make your callback URLs unique and un-guessable : for example, use a unique internal identifier in the URLs for each feed to which you subscribed.
• Subscribe using http* s *, and by providing a hub.secret. This secret will then be used by the hub to compute a unique signature for each notification. You have to make sure this signature matches the content that you get. Read more about this here .

Answer 2

The raw post data is the data that is used to extract the POST parameters that can be accessed by $_POST. An user can also post un-parametarized data with post, yes.

Answer 3

A user will always send raw POST data to your scripts. PHP will then parse it and populate $_POST. When POSTing from a form, $_POST is equivalent to:

parse_str($HTTP_RAW_POST_DATA, $data);
var_dump($_POST);
var_dump($data); // yields the same as $_POST

However, if you really want to fetch the raw POST data, the preferred way is:

$rawPost = file_get_contents('php://input');

... because $HTTP_RAW_POST_DATA relies on the always_populate_raw_post_data INI setting, and also because it won't work with multipart/form-data content type.