|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #50060 "failed creating formpost data" if post array value starts with '@'
Submitted: 2009-11-03 07:29 UTC Modified: 2009-11-03 21:37 UTC
From: bugs dot php dot net at sgerrand dot com Assigned:
Status: Not a bug Package: cURL related
PHP Version: 5.2.11 OS: Linux (Ubuntu x86_64 2.6.31-14)
Private report: No CVE-ID: None
 [2009-11-03 07:29 UTC] bugs dot php dot net at sgerrand dot com
PHP's cURL library dies returning the error message "failed creating 
formpost data" when trying to use an array that contains a value 
starting with '@'. 

If the array is changed to a string in URL encoded like format, the 
problem does not occur.

Reproduce code:

$url = '';
$postData = array('key' => '@value');
$ch = curl_init();

curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $postData);

if (! curl_exec($ch) ) print 'cURL error: ' . curl_error($ch);
else print "cURL success";



Expected result:
cURL success

Actual result:
cURL error: failed creating formpost data


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2009-11-03 10:18 UTC]
@ has a special meaning with cURL and takes the contents of the file.
 [2009-11-03 10:44 UTC] bugs dot php dot net at sgerrand dot com
Please refer to the documentation for curl_setopt() -

CURLOPT_POSTFIELDS	 The full data to post in a HTTP "POST" 
operation. To post a file, prepend a filename with @ and use the full 
path. This can either be passed as a urlencoded string like 
'para1=val1&para2=val2&...' or as an array with the field name as key 
and field data as value. If value is an array, the Content-Type header 
will be set to multipart/form-data.

The case I have logged is when data to be posted using this option is 
an array which happens to have a value that starts with '@', as per 
the example. This edge case is being caused by the function used to 
create the form data to pass to cURL.

I would note that the cURL command line client on any POSIX system can 
perform this without issue - i.e.: 

curl -d 'key=@value'
 [2009-11-03 11:58 UTC]
-d is for the whole data, what we really have here is -F for formdata.

curl -F 'key=@value'
 [2009-11-03 21:37 UTC] bugs dot php dot net at sgerrand dot com
Regardless, if the existing functionality for constructing form data 
with the CURLOPT_POSTFIELDS option will not be changed, can the 
documentation for curl_setopt() be altered to more explicitly indicate 
that *any* array value that starts with '@' will be treated as a file 
for upload.
 [2010-03-24 09:39 UTC] guille at nianoniano dot com
We should have to be able to tell wheter a POST field is intended to be interpreted as a path for a file submission or simply as text not just by adding a '@' character at the begining of a POST parameter's value.

Firstly because the curl lets it and PHP's implementation of this functions are actually diminishing this feature.

And secondly because it brings some operational problems that makes us to produce worse code: the need to convert the POST payload array of parameters to a string.

A good example for this need is a Twitter library that i'm currently working on. It a very common case to have a POST parameter starting with the '@' character and i'm forced to convert the array into a string and then deal with other derivative problems like handling the presence of characters like '&' in the value of a parameter. This wastes processing time, resources and makes worse source code.
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sat Apr 17 20:01:23 2021 UTC