Technically speaking, it is not possible to "open a web page" and "fill up the log-in fields" using php or any other server side script, because web pages are rendered in a browser and form fields only exist in a browser. "Form fields" don't exist when php reads a web page, it only gets the HTML source of that page.
However, PHP can submit form data using the curl functions, but it actually submits the data directly to the form processing code at the url in the action="..." parameter of the form.
Due to people automatically submitting data to form processing code, like you have asked here, many forms have had to add a human only question/answer challenge/response (CAPTCHA), along with other server side code to detect if someone is actually using the form to submit the data.
Short answer - yes php can do this, but most forms and form processing code will detect and prevent it.
Last edited by dbmab; 10-28-07 at 09:31.
Reason: fixed wording
what you want to do will not be able to be done in PHP
you could set default values using PHP server side scripting (not for that matter in any other server side scripting language like coldfusion, ASP or whatever)
but Im not aware of any technique to make a PHP generated HTML page auto submit (there may be one, but Im not aware of it)
Actually there is a nice easy way to generate forms for submission to another page (yahoo) using php/html, but this technique is parallel to cross site scripting, so I don't think in the interest of the community at large it's a good idea to publish it.
The question I have to you is, WHY do you want to do this? It's a crackers technique and I can see no reason why you should need this in a legal environment.
What specifically do you feel you have a problem with that you need to solve?
One thing that was not mentioned above (because it was not directly related to the question) is someone can visit your form and make a copy. Then they can run that page anywhere on the Internet and by just changing the URL in the action="..." parameter so that it points to your form processing code, they can sit there and manually submit data to your form processing code. Sort of a poor man's (non-programmer's) spam bot.
Here are some general things to use to make sure that it is a human that is using your form to submit to your form processing code -
1) Start a session and set an arbitrary session variable with some value. In the form processing code, start/restore the session and check that the session variable exists. This will require that someone (or a script) at least visited your form before submitting to your form processing code.
2) Use a hidden form input field that has a unique random number in it that must be submitted (pass the unique random number in the session.) This will catch scripts that don't copy hidden fields and ones that blindly put their content in to every form field.
3) Put a dummy form first on your page in a hidden <div>. Put your actual form second on the page. This will catch scripts that only look for the first form on a page.
4) Use non standard names for your page (don't call it contact.html...), for the form processing code (don't call it formmail.php or similar...), and for the input fields (certainly don't call an email field "email").
5) Use a CAPTCHA. Image CAPTCHA's have shown to be fairly easy to decode using OCR or to have unwitting humans enter the value (your CAPTCHA image gets displayed on porn sites and the visitors type in what they see, which gets submitted to your form processing code) or have hired humans enter the value. Currently, question/answer CAPTCHA's (a random list of questions, such as what is 3+10) have proven to be more effective than image CAPTCHA at preventing scripts from submitting to form processing code.
6) You can trend and limit submissions using IP address information. It is rare that you would get more than a few submissions from one IP address in a short period of time, even from a large company where everyone shares the same IP address.
7) Lastly and most importantly, you must close any loop holes in your form processing code that is allowing spam content to be processed. All the other steps mentioned can be bypassed or won't stop a real person, so if your form processing code validates all the inputs and simply discards spam content and mail header injection attempts, then in the end, no spam will get beyond your form processing code.
@dbmab, perhaps related to a different discussion post perhaps, but I thought it a noteworthy mention here, that #5 is becoming more apparent in the web industry. Those of dubious intentions are using more cunning methods these days to get around the classic CAPTCHA, and this is indeed one of those techniques. Do we have a security part of this forum? Might be worth getting one set up eh?
curl is really good function when you have to execute a remote URL. This can be any type of script which would perform some sort of server side function. As you want to know if you can login to yahoo, yes you can do that. But for this you need to identify what are the parameters required to login to Yahoo. The parameters are mostly some session values and form fields (visible or hidden). You can create robots using PHP with the help of CURL functions.