Rectangle 27 63

The url portion of a request (GET and POST) can be limited by both the browser and the server - generally the safe size is 2KB as there are almost no browsers or servers that use a smaller limit.

The body of a request (POST) is normally* limited by the server on a byte size basis in order to prevent a type of DoS attack (note that this means character escaping can increase the byte size of the body). The most common server setting is 10MB, though all popular servers allow this to be increased or decreased via a setting file or panel.

*Some exceptions exist with older cell phone or other small device browsers - in those cases it is more a function of heap space reserved for this purpose on the device then anything else.

Tell something about the browser limits, considering curl

I know I'm a bit behind the times here but answers like these are the reason I love StackOverflow. Above and beyond what's required and providing some valuable background information.

php - What is the size limit of a post request? - Stack Overflow

php internet-explorer http post
Rectangle 27 165

It depends on a server configuration. If you're working with PHP under Linux or similar, you can control it using .htaccess configuration file, like so:

#set max post size
php_value post_max_size 20M

And, yes, I can personally attest to the fact that this works :)

If you're using IIS, I don't have any idea how you'd set this particular value.

Where is this post_max_size setting at? I'm rather new to php and I can't find it anywhere in our code base (using the dreamWeaver find-all process). I'd ask our sys admins but they're mean. :-P

So can you just set this value to whatever size? Isn't there any kind of protocol limitation? Can you set it to 999999999999999999999M?

@Para - This post says that you can set it as high as your machine's memory. It also says that the default is 2MB.

Since this is PHP, I was kind of expecting it to accept any value and just SEGFAULT when it reaches your machine's limit....

Also, in PNP.INI file there is a setting: max_input_vars which in my version of PHP: 5.4.16 defaults to 1000. From the manual: "How many input variables may be accepted (limit is applied to $_GET, $_POST and $_COOKIE superglobal separately)" Ref.: php.net/manual/en/info.configuration.php#ini.max-input-vars

php - What is the size limit of a post request? - Stack Overflow

php internet-explorer http post
Rectangle 27 5

So, I am wondering if the page is XSS vulnerable for POST request, will it be a security issue?

Of course it would be. Why should the method via which external code is embedded matter at all? That it does happen is the problem, not how.

I could not figure out a "reasonable" attack workflow.

Consider a simple HTML form, that gets pre-populated with the previous user input after a failed server-side validation.

If this pre-popuplating allows XSS (basically meaning, escaping all data before outputting it in an HTML context was neglected) then I could easily set up a form in my own page, have its action attribute point to your form handling address, and pass any data I like via hidden fields and have to user send that data to your server via a simple submit button, that is maybe formated to look just like a normal link, and only saying click here to go to example.com. The user expects that to just normally open a page like any other link but in reality it send values that triggers displaying the form with pre-populated fields again.

(All that under the premise that the target site does not have additional security against foreign form data in place.)

thanks for your quick answer! I mean the starting page is a page only accepts POST request, say my_post_request.aspx. from my understanding, I need prepare a complete post request with XSS string embedded and send it to server, then server response me a page with XSS action included which has security issue. But I don't understand how does this happen because if I send the page URL (my_post_request.aspx) to others, and others' click action is a GET action rather than desired POST action.

XSS is not only about sending an URL to another person as I said in my example, I could build a fake form using hidden fields for the data into my own page, and have you submit that by a button with a misleading description.

OK, then I understand I should handle security issues on POST requests also.

security - what's the scenario of stealing information with XSS on a P...

security post xss
Rectangle 27 32

Also, in PHP.INI file there is a setting:

max_input_vars

which in my version of PHP: 5.4.16 defaults to 1000.

From the manual: "How many input variables may be accepted (limit is applied to $_GET, $_POST and $_COOKIE superglobal separately)"

php - What is the size limit of a post request? - Stack Overflow

php internet-explorer http post
Rectangle 27 11

if you want for both POST and GET

defaults can be set as following

match 'graphs/(:id(/:action))' => 'graphs#(:action)', :via => [:get, :post],
                                                      :defaults => { :action => "index" }

and the syntax seems to be correct

Thanks a lot. Is 'graphs#(:action)' a correct syntax? Because :action might exist or might not. Can I somehow specify something as default if :action does not exist?

ruby on rails - Get and post request for the same match - Stack Overfl...

ruby-on-rails ruby ruby-on-rails-3 routes
Rectangle 27 12

According to RFC, the difference between PUT and POST is in the Request URI. The URI identified by POST defines the entity that will handle the POST request. The URI in the PUT request includes the entity in the request. So, POST /v1/coffees/orders means to create a new resource and return an identifier to describe the resource. In contrast, PUT /v1/coffees/orders/1234 means to update a resource identified by "1234" if it exists; else create a new order and use the orders/1234 URI to identify it.

PUT and POST can both be used to create or update methods. The usage of the method depends on the idempotent behavior expected from the method as well as the location of the resource to identify it.

+ for a simple explanation with an example of the URL

What's the difference between a POST and a PUT HTTP REQUEST? - Stack O...

http post put
Rectangle 27 12

According to RFC, the difference between PUT and POST is in the Request URI. The URI identified by POST defines the entity that will handle the POST request. The URI in the PUT request includes the entity in the request. So, POST /v1/coffees/orders means to create a new resource and return an identifier to describe the resource. In contrast, PUT /v1/coffees/orders/1234 means to update a resource identified by "1234" if it exists; else create a new order and use the orders/1234 URI to identify it.

PUT and POST can both be used to create or update methods. The usage of the method depends on the idempotent behavior expected from the method as well as the location of the resource to identify it.

+ for a simple explanation with an example of the URL

What's the difference between a POST and a PUT HTTP REQUEST? - Stack O...

http post put
Rectangle 27 555

Reply to the post for SOAP and RESTful POX(XML)

You can expose the service in two different endpoints. the SOAP one can use the binding that support SOAP e.g. basicHttpBinding, the RESTful one can use the webHttpBinding. I assume your REST service will be in JSON, in that case, you need to configure the two endpoints with the following behaviour configuration

<endpointBehaviors>
  <behavior name="jsonBehavior">
    <enableWebScript/>
  </behavior>
</endpointBehaviors>

An example of endpoint configuration in your scenario is

public interface ITestService
{
   [OperationContract]
   [WebGet]
   string HelloWorld(string text)
}

Note, if the REST service is not in JSON, parameters of the operations can not contain complex type.

For plain old XML as return format, this is an example that would work both for SOAP and XML.

[ServiceContract(Namespace = "http://test")]
public interface ITestService
{
    [OperationContract]
    [WebGet(UriTemplate = "accounts/{id}")]
    Account[] GetAccount(string id);
}
<behavior name="poxBehavior">
  <webHttp/>
</behavior>
<services>
  <service name="TestService">
    <endpoint address="soap" binding="basicHttpBinding" contract="ITestService"/>
    <endpoint address="xml" binding="webHttpBinding"  behaviorConfiguration="poxBehavior" contract="ITestService"/>
  </service>
</services>

SOAP request client endpoint configuration for SOAP service after adding the service reference,

<client>
    <endpoint address="http://www.example.com/soap" binding="basicHttpBinding"
      contract="ITestService" name="BasicHttpBinding_ITestService" />
  </client>

in C#

TestServiceClient client = new TestServiceClient();
client.GetAccount("A123");

Another way of doing it is to expose two different service contract and each one with specific configuration. This may generate some duplicates at code level, however at the end of the day, you want to make it working.

How does this look like when I have .svc hosted in IIS in some virtual directory like someserver/myvirtualdir/service.svc? How should I access it?

I'd like to take this one step further and add a binding to HTTPS for the JSON address. How do I do that? stackoverflow.com/questions/18213472/

It's saying my contract IEvents is invalid when I try to reference my Service Interface: <service name="Events"> <endpoint address="json" binding="webHttpBinding" behaviorConfiguration="jsonBehavior" contract="IEvents"/>. My IEvents has a [ServiceContract] attribute on the interface so not sure why. </service>

I can get localhost:44652/MyResource/json to work but I can't get an id to work localhost:44652/MyResource/98/json. I've tried adding a UriTemplate of "/{id}", also tried "events/{id} but it doesn't find it when I try to hit the service. Only the first works, not sure how to get the latter to work.

How can it work with no physical file there? I just seem to get 404 errors, must be missing something

REST / SOAP endpoints for a WCF service - Stack Overflow

wcf rest soap
Rectangle 27 555

Reply to the post for SOAP and RESTful POX(XML)

You can expose the service in two different endpoints. the SOAP one can use the binding that support SOAP e.g. basicHttpBinding, the RESTful one can use the webHttpBinding. I assume your REST service will be in JSON, in that case, you need to configure the two endpoints with the following behaviour configuration

<endpointBehaviors>
  <behavior name="jsonBehavior">
    <enableWebScript/>
  </behavior>
</endpointBehaviors>

An example of endpoint configuration in your scenario is

public interface ITestService
{
   [OperationContract]
   [WebGet]
   string HelloWorld(string text)
}

Note, if the REST service is not in JSON, parameters of the operations can not contain complex type.

For plain old XML as return format, this is an example that would work both for SOAP and XML.

[ServiceContract(Namespace = "http://test")]
public interface ITestService
{
    [OperationContract]
    [WebGet(UriTemplate = "accounts/{id}")]
    Account[] GetAccount(string id);
}
<behavior name="poxBehavior">
  <webHttp/>
</behavior>
<services>
  <service name="TestService">
    <endpoint address="soap" binding="basicHttpBinding" contract="ITestService"/>
    <endpoint address="xml" binding="webHttpBinding"  behaviorConfiguration="poxBehavior" contract="ITestService"/>
  </service>
</services>

SOAP request client endpoint configuration for SOAP service after adding the service reference,

<client>
    <endpoint address="http://www.example.com/soap" binding="basicHttpBinding"
      contract="ITestService" name="BasicHttpBinding_ITestService" />
  </client>

in C#

TestServiceClient client = new TestServiceClient();
client.GetAccount("A123");

Another way of doing it is to expose two different service contract and each one with specific configuration. This may generate some duplicates at code level, however at the end of the day, you want to make it working.

How does this look like when I have .svc hosted in IIS in some virtual directory like someserver/myvirtualdir/service.svc? How should I access it?

I'd like to take this one step further and add a binding to HTTPS for the JSON address. How do I do that? stackoverflow.com/questions/18213472/

It's saying my contract IEvents is invalid when I try to reference my Service Interface: <service name="Events"> <endpoint address="json" binding="webHttpBinding" behaviorConfiguration="jsonBehavior" contract="IEvents"/>. My IEvents has a [ServiceContract] attribute on the interface so not sure why. </service>

I can get localhost:44652/MyResource/json to work but I can't get an id to work localhost:44652/MyResource/98/json. I've tried adding a UriTemplate of "/{id}", also tried "events/{id} but it doesn't find it when I try to hit the service. Only the first works, not sure how to get the latter to work.

How can it work with no physical file there? I just seem to get 404 errors, must be missing something

REST / SOAP endpoints for a WCF service - Stack Overflow

wcf rest soap
Rectangle 27 555

Reply to the post for SOAP and RESTful POX(XML)

You can expose the service in two different endpoints. the SOAP one can use the binding that support SOAP e.g. basicHttpBinding, the RESTful one can use the webHttpBinding. I assume your REST service will be in JSON, in that case, you need to configure the two endpoints with the following behaviour configuration

<endpointBehaviors>
  <behavior name="jsonBehavior">
    <enableWebScript/>
  </behavior>
</endpointBehaviors>

An example of endpoint configuration in your scenario is

public interface ITestService
{
   [OperationContract]
   [WebGet]
   string HelloWorld(string text)
}

Note, if the REST service is not in JSON, parameters of the operations can not contain complex type.

For plain old XML as return format, this is an example that would work both for SOAP and XML.

[ServiceContract(Namespace = "http://test")]
public interface ITestService
{
    [OperationContract]
    [WebGet(UriTemplate = "accounts/{id}")]
    Account[] GetAccount(string id);
}
<behavior name="poxBehavior">
  <webHttp/>
</behavior>
<services>
  <service name="TestService">
    <endpoint address="soap" binding="basicHttpBinding" contract="ITestService"/>
    <endpoint address="xml" binding="webHttpBinding"  behaviorConfiguration="poxBehavior" contract="ITestService"/>
  </service>
</services>

SOAP request client endpoint configuration for SOAP service after adding the service reference,

<client>
    <endpoint address="http://www.example.com/soap" binding="basicHttpBinding"
      contract="ITestService" name="BasicHttpBinding_ITestService" />
  </client>

in C#

TestServiceClient client = new TestServiceClient();
client.GetAccount("A123");

Another way of doing it is to expose two different service contract and each one with specific configuration. This may generate some duplicates at code level, however at the end of the day, you want to make it working.

Great post. That got me out of a tight spot.

How does this look like when I have .svc hosted in IIS in some virtual directory like someserver/myvirtualdir/service.svc? How should I access it?

Best explained WCF example with SOAP/RESTful over internet

I'd like to take this one step further and add a binding to HTTPS for the JSON address. How do I do that? stackoverflow.com/questions/18213472/

It's saying my contract IEvents is invalid when I try to reference my Service Interface: <service name="Events"> <endpoint address="json" binding="webHttpBinding" behaviorConfiguration="jsonBehavior" contract="IEvents"/>. My IEvents has a [ServiceContract] attribute on the interface so not sure why. </service>

I can get localhost:44652/MyResource/json to work but I can't get an id to work localhost:44652/MyResource/98/json. I've tried adding a UriTemplate of "/{id}", also tried "events/{id} but it doesn't find it when I try to hit the service. Only the first works, not sure how to get the latter to work.

How do you deal with FaultExceptions in this case?

How can it work with no physical file there? I just seem to get 404 errors, must be missing something

REST / SOAP endpoints for a WCF service - Stack Overflow

wcf rest soap
Rectangle 27 24

You could just use the Chrome Developer Tools, if you only need to track requests. Activate them with Ctrl+Shift+I and select the Network tab.

This works also when Chrome talks HTTPS with another server (and unless you have the HTTPS private key you cannot use Wireshark to sniff that traffic).

As far as i know, only FireBug in Firefox has feature to track send POST data. I have tested with Safari and Chrome, they didn't have it.

@GusDeCooL It works fine in Chrome? I click CTRL + SHIFT + I then Chrome opens the Developer Tools window and then I click the "Network" tab. Now, if my browser makes a network request it appears on a row in this Network tab. I click that row, and if it's a POST request Chrome shows a Form Data section a bit further below on the Headers tab.

c# - Is it possible to see the data of a post request in Firefox or Ch...

c# firefox post google-chrome firefox-addon
Rectangle 27 24

You could just use the Chrome Developer Tools, if you only need to track requests. Activate them with Ctrl+Shift+I and select the Network tab.

This works also when Chrome talks HTTPS with another server (and unless you have the HTTPS private key you cannot use Wireshark to sniff that traffic).

As far as i know, only FireBug in Firefox has feature to track send POST data. I have tested with Safari and Chrome, they didn't have it.

@GusDeCooL It works fine in Chrome? I click CTRL + SHIFT + I then Chrome opens the Developer Tools window and then I click the "Network" tab. Now, if my browser makes a network request it appears on a row in this Network tab. I click that row, and if it's a POST request Chrome shows a Form Data section a bit further below on the Headers tab.

c# - Is it possible to see the data of a post request in Firefox or Ch...

c# firefox post google-chrome firefox-addon
Rectangle 27 23

I went ahead and checked out the latest AFNetworking from their master branch. Out of the box I was able to get the desired behavior. I looked and it seems like a recent change (October 6th) so you might just need to pull the latest.

I wrote the following code to make a request:

AFHTTPClient *client = [[AFHTTPClient alloc] initWithBaseURL:[NSURL URLWithString:@"http://localhost:8080/"]];
[client postPath:@"hello123" parameters:[NSDictionary dictionaryWithObjectsAndKeys:@"v1", @"k1", @"v2", @"k2", nil] 
         success:^(id object) {
             NSLog(@"%@", object);
         } failure:^(NSHTTPURLResponse *response, NSError *error) {
             NSLog(@"%@", error);
         }];
[client release];

Under my proxy I can see the raw request:

POST /hello123 HTTP/1.1
Host: localhost:8080
Accept-Language: en, fr, de, ja, nl, it, es, pt, pt-PT, da, fi, nb, sv, ko, zh-Hans, zh-Hant, ru, pl, tr, uk, ar, hr, cs, el, he, ro, sk, th, id, ms, en-GB, ca, hu, vi, en-us;q=0.8
User-Agent: info.evanlong.apps.TestSample/1.0 (unknown, iPhone OS 4.3.2, iPhone Simulator, Scale/1.000000)
Accept-Encoding: gzip
Content-Type: application/json; charset=utf-8
Accept: */*
Content-Length: 21
Connection: keep-alive

{"k2":"v2","k1":"v1"}

From the AFHTTPClient source you can see that JSON encoding is the default based on line 170, and line 268.

Huh, I didn't realize JSON was set to be the default encoding. This is a mistake (URL form encoding has always been my intention to be the default; I'm not sure how that slipped in). @EricAndres: Please note this, and set the parameter encoding to JSON manually, with self.parameterEncoding = AFJSONParameterEncoding; in your code.

Awesome, thanks for the response. I'll try out the setting self.parameterEncoding later when I get a chance.

hmm... json was not the default encoding, but NVP was (as of early 2013)

objective c - Posting JSON as the body of a POST request using AFHTTPC...

objective-c ios afnetworking
Rectangle 27 8

You can post large amount of data by setting php.ini variable: max_input_vars Default size of this variable is 1000 but if you want to sent large amount of data you have to increase the size accordingly. If you can't set the size from ini_set you have to do it through htaccess or by doing changes into php.ini file directly.

max_input_vars  2500
memory_limit    256M

php - What is the size limit of a post request? - Stack Overflow

php internet-explorer http post
Rectangle 27 87

If the current page was loaded by a POST request, you may want to use

window.location = window.location.pathname;

instead of

window.location.reload();

because window.location.reload() will prompt for confirmation if called on a page that was loaded by a POST request.

This will lose the querystring however, whereas window.location = window.location will not

@mrmillsy window.location = window.location is also imperfect, however; it does nothing if there is a fragid (hashbang) in the current URL.

javascript - How can I refresh a page with jQuery? - Stack Overflow

javascript jquery refresh reload
Rectangle 27 87

If the current page was loaded by a POST request, you may want to use

window.location = window.location.pathname;

instead of

window.location.reload();

because window.location.reload() will prompt for confirmation if called on a page that was loaded by a POST request.

This will lose the querystring however, whereas window.location = window.location will not

@mrmillsy window.location = window.location is also imperfect, however; it does nothing if there is a fragid (hashbang) in the current URL.

javascript - How can I refresh a page with jQuery? - Stack Overflow

javascript jquery refresh reload
Rectangle 27 87

If the current page was loaded by a POST request, you may want to use

window.location = window.location.pathname;

instead of

window.location.reload();

because window.location.reload() will prompt for confirmation if called on a page that was loaded by a POST request.

This will lose the querystring however, whereas window.location = window.location will not

@mrmillsy window.location = window.location is also imperfect, however; it does nothing if there is a fragid (hashbang) in the current URL.

javascript - How can I refresh a page with jQuery? - Stack Overflow

javascript jquery refresh reload
Rectangle 27 87

If the current page was loaded by a POST request, you may want to use

window.location = window.location.pathname;

instead of

window.location.reload();

because window.location.reload() will prompt for confirmation if called on a page that was loaded by a POST request.

This will lose the querystring however, whereas window.location = window.location will not

@mrmillsy window.location = window.location is also imperfect, however; it does nothing if there is a fragid (hashbang) in the current URL.

javascript - How can I refresh a page with jQuery? - Stack Overflow

javascript jquery refresh reload
Rectangle 27 13

For me, json was NOT the default encoding. You can manually set it as the default encoding like this:

AFHTTPClient *client = [[AFHTTPClient alloc] initWithBaseURL:[NSURL URLWithString:@"http://localhost:8080/"]];

[client setParameterEncoding:AFJSONParameterEncoding];

[client postPath:@"hello123" parameters:[NSDictionary dictionaryWithObjectsAndKeys:@"v1", @"k1", @"v2", @"k2", nil]
         success:^(id object) {
             NSLog(@"%@", object);
         } failure:^(NSHTTPURLResponse *response, NSError *error) {
             NSLog(@"%@", error);
         }];
[client release];
[client setParameterEncoding:AFJSONParameterEncoding];
[client registerHTTPOperationClass:[AFJSONRequestOperation class]];

objective c - Posting JSON as the body of a POST request using AFHTTPC...

objective-c ios afnetworking
Rectangle 27 40

Possibly the easiest way to make PHP perform a POST request is to use cURL, either as an extension or simply shelling out to another process. Here's a post sample:

// where are we posting to?
$url = 'http://foo.com/script.php';

// what post fields?
$fields = array(
   'field1' => $field1,
   'field2' => $field2,
);

// build the urlencoded data
$postvars = http_build_query($fields);

// open connection
$ch = curl_init();

// set the url, number of POST vars, POST data
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_POST, count($fields));
curl_setopt($ch, CURLOPT_POSTFIELDS, $postvars);

// execute post
$result = curl_exec($ch);

// close connection
curl_close($ch);

Also check out Zend_Http set of classes in the Zend framework, which provides a pretty capable HTTP client written directly in PHP (no extensions required).

2014 EDIT - well, it's been a while since I wrote that. These days it's worth checking Guzzle which again can work with or without the curl extension.

Keys need to be urlencoded as well.

you are correct, I'm in the habit of choosing URL-safe keys though, but will modify the sample...

If you don't own your server, theres a chance you may run into the issue that PHP, and thus cURL, are not allowed to leave the local network.

Post to another page within a PHP script - Stack Overflow

php post request