php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #55815 PUT request data should be parsed just like POST
Submitted: 2011-09-29 16:51 UTC Modified: 2012-10-31 16:38 UTC
Votes:57
Avg. Score:4.7 ± 0.6
Reproduced:51 of 51 (100.0%)
Same Version:24 (47.1%)
Same OS:35 (68.6%)
From: catch dot dave at gmail dot com Assigned:
Status: Open Package: Streams related
PHP Version: 5.4.0beta1 OS: All
Private report: No CVE-ID:
Have you experienced this issue?
Rate the importance of this bug to you:

 [2011-09-29 16:51 UTC] catch dot dave at gmail dot com
Description:
------------
Data that is posted to PHP via the PUT method is not parsed at all and is not 
available to PHP.
This is particularly problematic for data sent encoded as 'multipart/form-data'.

Basically, a request sent (with files and/or non-file data) via PUT should be 
parsed using the same functions used for requests sent via 
POST.
Ideally, $_FILES and *either* $_POST or a new $_PUT superglobals should be 
populated in PUT requests.


The answer is *not* to simply use parse_str() because that does not handle 
multipart/form-data requests.

This is something that would help every RESTful interface that people are trying 
to do with PHP.
There are many people who have these problems and have to implement (usually 
incomplete and/or buggy) PHP solutions, 
eg: 
* Example of someone's wrong and incomplete solution: 
http://stackoverflow.com/questions/5483851/manually-parse-raw-
http-data-with-php
* Example of other people having problems: http://drupal.org/node/1270190


I ended up having to write half a page of code just to parse file and normal 
data out of php://input stream which is not going to be as 
well tested or as stable as PHP's existing C code that parses the data when 
using the POST method.


This could (possibly) be as simple as changing lines such as:
    `if(!strcmp(SG(request_info).request_method, "POST"))`
to
   `if(!strcmp(SG(request_info).request_method, "POST") || 
!strcmp(SG(request_info).request_method, "PUT"))`

or even adding a new superglobal called $_PUT (but still re-using $_FILES).


Test script:
---------------
The request:

#!/bin/sh
curl "https://localhost/restful_server/" -X PUT -F "photo=@my_image.jpg;type=image/jpg" -F "foo=bar"

The php code:

<?php
echo "POST: \n"; var_dump($_POST);
echo "PUT: \n"; @var_dump($_PUT); // obviously this won't exist yet in php 5.4/5.3
echo "FILES: \n"; var_dump($_FILES);



Expected result:
----------------
POST: 
	array(0) {
}
PUT: 
	array(1) {
  ["foo"]=>
  string(3) "bar"
}
FILES: 
	array(1) {
  ["photo"]=>
  array(5) {
    ["name"]=>
    string(6) "my_image.jpg"
    ["type"]=>
    string(9) "image/jpg"
    ["tmp_name"]=>
    string(26) "/private/var/tmp/my_image.jpg"
    ["error"]=>
    int(0)
    ["size"]=>
    int(1)
  }
}

Actual result:
--------------
POST: 
	array(0) {
}
PUT: 
	NULL
FILES: 
	array(0) {
}

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-12-29 17:47 UTC] thomas dot mery at gmail dot com
Hi,

was wondering if this had been considered

thanks
 [2012-04-11 01:52 UTC] theanomaly dot is at gmail dot com
First, I'd like to start by noting that the PHP manual already addresses file 
uploads via PUT method by: 

http://php.net/manual/en/features.file-upload.put-method.php

Second, I want to point out that what you're asking is actually a violation of 
the HTTP specification as per RFC 2616 specifically Section 9.6

http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.6

"The fundamental difference between the POST and PUT requests is reflected in 
the different meaning of the Request-URI. The URI in a POST request identifies 
the resource that will handle the enclosed entity. That resource might be a 
data-accepting process, a gateway to some other protocol, or a separate entity 
that accepts annotations. In contrast, the URI in a PUT request identifies the 
entity enclosed with the request -- the user agent knows what URI is intended 
and the server MUST NOT attempt to apply the request to some other resource. If 
the server desires that the request be applied to a different URI, it MUST send 
a 301 (Moved Permanently) response; the user agent MAY then make its own 
decision regarding whether or not to redirect the request."

What this means is the HTTP RFC does not allow us to identify multipart/form-
data in a PUT request.

Thus your proposed implementation to how PHP already handles requests would then 
put PHP in a position of having not complied with the spec. PUT is used for a 
different specification than POST and thus modifying PHP to treat them equally 
would not be a sane solution.

However, there are some simple steps to accomplishing what you want even though 
it would be in violation of the HTTP specification. Namely they would be:

1) You can detect whether or not PUT was the REQUEST method via 
$_SERVER['REQUEST_METHOD'] for example (depends on your SAPI).
2) You may then proceed to process the 'php://input' stream through something 
like file_get_contents('php://input'); - as an example.
3) You may then proceed to break up the multipart form data according to its 
defined boundaries in PHP user-space code -- according to the specification at 
http://tools.ietf.org/html/rfc2388
4) Finally you may chose to do with the file as you'd like (save, discard, 
otherwise).

However, it would make no sense at all to create a new superglobal in PHP called 
$_PUT since the HTTP PUT verb does not allow for multi-part/form data to begin 
with. So whoever is saying PHP is making it difficult to be RESTful is 
misleading.
 [2012-04-16 19:15 UTC] catch dot dave at gmail dot com
Hi theanomaly,

I'd like to address your points.

1. As per my original request the manual page of 
"http://php.net/manual/en/features.file-upload.put-
method.php" *does not* solve the problem, as it does not handle multipart form 
requests.

2. Implementing the parsing of multipart form data in PHP seems to be re-
inventing the wheel when the 
code to correctly parse this already exists in PHP itself (to parse POST data).

3. Perhaps I am misunderstanding, but reading through both your quote and the 
rest of the 2616 spec, I 
fail to see how the spec precludes handling form-data in a PUT method, The 
section you quoted is saying 
that:
      * PUT must operate on the URI provided and not another one; and
      * that the difference between PUT and POST, is that POST URI defines the 
resource that operates on 
an entity, whereas a PUT request's URI identifies the entity itself. It is 
common to use the PUT verb to 
operate on existing entities in restful APIs (e.g. modifying the title of an 
existing book, you would send 
the new title as data, and not in the URI itself), which does not seem to 
violate this point either.

The multipart form data is part of the original user request and should 
therefore be parseable--the user 
is sending the data (in multipart form) to operate on the URI using the PUT 
method.

I don't think the spec is saying that you are not allowed to use/consider the 
data sent along with it--
as opposed to your interpretation which suggests the RFC is saying that all data 
other than the URI 
itself (whether multipart form encoded or not) should be ignored.

4. I had originally had some code that does exactly what you described, but it 
was nowhere near as 
robust as the existing code in PHP, which lead to me writing this request (re-
invent the wheel). 
Furthermore, other languages (e.g. Ruby) do parse multipart data in PUT (not 
that that should be the 
primary reason).
 [2012-06-27 00:57 UTC] phazei at gmail dot com
Has this been reconsidered at all? Any update?
 [2012-07-08 18:38 UTC] johnston dot joshua at gmail dot com
Hi,

in regards to RFC 2616 and the comment:

"What this means is the HTTP RFC does not allow us to identify multipart/form-
data in a PUT request."

This section addresses the meaning of the request URI and NOT the request body. 

In a POST request, the request URI should point to an entity that HANDLES the 
request body in whichever way it sees fit. This COULD be by appending the 
enclosed entity as an annotation to the given request URI, or appending a new 
entity to a collection, etc.

In a PUT request, the enclosed entity should BE STORED AT or REPLACE the entity 
that exists at the given request URI.

There is no reason why the Entity in question cannot be a multipart entity.

Here is a real-world example to illustrate this point using a messageboard as an 
example.

A User creates a new topic:

(minimal headers shown for brevity)

POST /topics HTTP/1.1
Content-Type: multipart/form-data; boundary=--------------------------
-11401160922046879112964562566
Content-Length: ???
-----------------------------11401160922046879112964562566
Content-Disposition: form-data; name="comment"

This is a comment here
-----------------------------11401160922046879112964562566
Content-Disposition: form-data; name="attachment"; filename="attachment.png"
Content-Type: image/png

[binary image data here]
-----------------------------11401160922046879112964562566--


HTTP/1.1 201 Created
Location: /topics/1


Now we have a new topic referenced by /topics/1. Lets say the original user wants 
to change his topic. HTTP says that you can use a PUT request to a given request 
URI to replace an entity. If I wanted to replace the entity containing an image 
and the comment I would issue

PUT /topics/1 HTTP/1.1
Content-Type: multipart/form-data; boundary=--------------------------
-11401160922046879112964562566
Content-Length: ???
-----------------------------11401160922046879112964562566
Content-Disposition: form-data; name="comment"

This is a comment here
-----------------------------11401160922046879112964562566
Content-Disposition: form-data; name="attachment"; filename="attachment.png"
Content-Type: image/png

[binary image data here]
-----------------------------11401160922046879112964562566--


As you can see here, the multipart/form-data request body is 100% valid.
 [2012-10-22 05:23 UTC] tylerromeo at gmail dot com
The http/1.1 RFC does not specify any data type for the request body of any 
request type, nor does the RFC for multipart/form-data specify the request type 
it must be used with in HTTP. And as has been demonstrated by previous comments, 
there exist legitimate cases where multipart/form-data would be useful in a PUT 
request.

Let me first say that putting PUT data into $_POST is a bad idea. Hopefully that 
is obvious enough. If this were to be implemented, it should use $_PUT (and 
$_FILES, if necessary, along with it).

The real question that needs to be asked is whether it's worth implementing. 
Technically, POST requests do not have any restriction on data types either. So 
really we could just tell all web developers to parse their POST requests from 
stdin like is suggested here for PUT. The reason PHP doesn't do that is because 
POST data is so often encoded in a standard data format and used as such that it 
helps developers tremendously to not force them to do such transformations 
themselves.

So the issue is whether enough users will be using multipart/form-data in PUT 
requests to warrant developers implementing a feature for it. Personally, I'm a 
fan of uniformity, and I believe that if we're parsing the request body for a 
POST request, then a PUT request should be treated no differently unless the 
spec has a restriction (which it doesn't).
 [2012-10-31 15:09 UTC] evert at rooftopsolutions dot nl
I just wanted to chime in this one..

I personally think that while having a _POST superglobal is convenient (and needed, for BC) it's not necessarily a great design pattern. Especially in the case where you actually want access to php://input, but PHP pre-emptively decided to parse it, and I'm left with an empty stream.

So instead of extending this pattern to other HTTP methods (and don't kid yourself, there's a bunch more than just PUT [1]), I feel a much better alternative would be to expose the API that can actually parse multipart/form-data and takes a stream as input.

I feel this would solve the OP's use-case, is more flexible, and avoids the creation of additional evil super-globals.

  [1] http://tools.ietf.org/html/draft-ietf-httpbis-method-registrations-10
 [2012-10-31 16:38 UTC] catch dot dave at gmail dot com
Whilst evert's example of providing access to the API might solve my original 
issue, I would still lean 
towards creating a new superglobal called _PUT.

1. PHP already has too many inconsistencies, let's not introduce another one. 
POST, GET exist, adding PUT 
is an obvious and consistant addition. Unless you wanted to deprecate existing 
superglobals over time, I 
would strongly suggest against providing a new way to do the same thing.
2. Whilst there are other HTTP methods, very few of them require/support parsing 
multi-form data like POST 
and PUT do (think of PATCH, DELETE, HEAD, etc).
 [2013-04-17 01:50 UTC] joaoh88 at gmail dot com
I really think it would be very useful to expose the API for parsing multipart 
data, as restful services are increasing in popularity
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Mon Apr 21 02:02:11 2014 UTC