Results 1 to 10 of 10
  1. #1
    Join Date
    Mar 2007
    Posts
    30

    Unanswered: Filling Input Fields

    Dear All,

    Good day.

    I'd like some help on some php scripting. Is it possible to open a webpage using PHP, say Yahoo Mail, and fill up the log-in fields with username and password and click on the Sign-In button?

    Any help would really be appreciated.

    Thanks a lot,

    Drogo

  2. #2
    Join Date
    Apr 2006
    Location
    Denver, Co. USA
    Posts
    242
    Technically speaking, it is not possible to "open a web page" and "fill up the log-in fields" using php or any other server side script, because web pages are rendered in a browser and form fields only exist in a browser. "Form fields" don't exist when php reads a web page, it only gets the HTML source of that page.

    However, PHP can submit form data using the curl functions, but it actually submits the data directly to the form processing code at the url in the action="..." parameter of the form.

    Due to people automatically submitting data to form processing code, like you have asked here, many forms have had to add a human only question/answer challenge/response (CAPTCHA), along with other server side code to detect if someone is actually using the form to submit the data.

    Short answer - yes php can do this, but most forms and form processing code will detect and prevent it.
    Last edited by dbmab; 10-28-07 at 10:31. Reason: fixed wording

  3. #3
    Join Date
    Nov 2004
    Location
    out on a limb
    Posts
    13,692
    Provided Answers: 59
    what you want to do will not be able to be done in PHP
    ..it could be done using Javascript running in a PHP page

    you could set default values using PHP server side scripting (not for that matter in any other server side scripting language like coldfusion, ASP or whatever)
    but Im not aware of any technique to make a PHP generated HTML page auto submit (there may be one, but Im not aware of it)

    you can use javascript to set values and do other stuff based on timers... that may be the way round for what you want

  4. #4
    Join Date
    Mar 2007
    Location
    636f6d7075746572
    Posts
    770
    Actually there is a nice easy way to generate forms for submission to another page (yahoo) using php/html, but this technique is parallel to cross site scripting, so I don't think in the interest of the community at large it's a good idea to publish it.

    The question I have to you is, WHY do you want to do this? It's a crackers technique and I can see no reason why you should need this in a legal environment.

  5. #5
    Join Date
    Jul 2006
    Posts
    56
    Gee, reading this made me realise I'm not protected against that kind of techniques!! What should I do ???

  6. #6
    Join Date
    Apr 2006
    Location
    Denver, Co. USA
    Posts
    242
    What specifically do you feel you have a problem with that you need to solve?

    One thing that was not mentioned above (because it was not directly related to the question) is someone can visit your form and make a copy. Then they can run that page anywhere on the Internet and by just changing the URL in the action="..." parameter so that it points to your form processing code, they can sit there and manually submit data to your form processing code. Sort of a poor man's (non-programmer's) spam bot.

    Here are some general things to use to make sure that it is a human that is using your form to submit to your form processing code -

    1) Start a session and set an arbitrary session variable with some value. In the form processing code, start/restore the session and check that the session variable exists. This will require that someone (or a script) at least visited your form before submitting to your form processing code.

    2) Use a hidden form input field that has a unique random number in it that must be submitted (pass the unique random number in the session.) This will catch scripts that don't copy hidden fields and ones that blindly put their content in to every form field.

    3) Put a dummy form first on your page in a hidden <div>. Put your actual form second on the page. This will catch scripts that only look for the first form on a page.

    4) Use non standard names for your page (don't call it contact.html...), for the form processing code (don't call it formmail.php or similar...), and for the input fields (certainly don't call an email field "email").

    5) Use a CAPTCHA. Image CAPTCHA's have shown to be fairly easy to decode using OCR or to have unwitting humans enter the value (your CAPTCHA image gets displayed on porn sites and the visitors type in what they see, which gets submitted to your form processing code) or have hired humans enter the value. Currently, question/answer CAPTCHA's (a random list of questions, such as what is 3+10) have proven to be more effective than image CAPTCHA at preventing scripts from submitting to form processing code.

    6) You can trend and limit submissions using IP address information. It is rare that you would get more than a few submissions from one IP address in a short period of time, even from a large company where everyone shares the same IP address.

    7) Lastly and most importantly, you must close any loop holes in your form processing code that is allowing spam content to be processed. All the other steps mentioned can be bypassed or won't stop a real person, so if your form processing code validates all the inputs and simply discards spam content and mail header injection attempts, then in the end, no spam will get beyond your form processing code.

  7. #7
    Join Date
    Jul 2006
    Posts
    56
    Thanks, dbmab

    Those tips are really gonna help me out.

    Cheers.

  8. #8
    Join Date
    Mar 2007
    Location
    636f6d7075746572
    Posts
    770
    @dbmab, perhaps related to a different discussion post perhaps, but I thought it a noteworthy mention here, that #5 is becoming more apparent in the web industry. Those of dubious intentions are using more cunning methods these days to get around the classic CAPTCHA, and this is indeed one of those techniques. Do we have a security part of this forum? Might be worth getting one set up eh?

  9. #9
    Join Date
    Mar 2007
    Posts
    30
    Hello All. My end goal for was to create an auto relister for ebay. Although there is turbolister available... it does not support our country for autorelisting. So I wanted to find a way using javascript, php and mysql to work around this issue. My intial plan was to store all relevant data into a mysql database... then "open" the ebay login page via PHP (done in the background)... login into the page... go to the listing page... pull data from the mysql database... plug it into the fields... click submit... check if there are any other items.... then logout. I was hoping this was possible via PHP. Security will be a big issue... but this application will only be for me.

  10. #10
    Join Date
    Jan 2004
    Location
    India
    Posts
    168
    curl is really good function when you have to execute a remote URL. This can be any type of script which would perform some sort of server side function. As you want to know if you can login to yahoo, yes you can do that. But for this you need to identify what are the parameters required to login to Yahoo. The parameters are mostly some session values and form fields (visible or hidden). You can create robots using PHP with the help of CURL functions.
    Freelance and Technology Consultant
    -------------------
    Dreams are for ever
    -------------------

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •