PHP，cURL 发布以登录 WordPress [英] PHP, cURL post to login to WordPress

问题描述

我正在为客户开展一个项目，该项目需要通过点击链接自动登录.

I am working on a project for a client which needs an automatic login from a link click.

我正在使用握手页面通过以下代码执行此操作:

I'm using a handshake page to do this with the following code:

$username = "admin";
$password = "blog";
$url = "http://wordpressblogURL/";
$cookie = "cookie.txt";

$postdata = "log=" . $username . "&pwd=" . $password . "&wp-submit=Log%20In&redirect_to=" . $url . "blog/wordpress/wp-admin/&testcookie=1";
$ch = curl_init();
curl_setopt ($ch, CURLOPT_URL, $url . "blog/wordpress/wp-login.php");

curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6");
curl_setopt ($ch, CURLOPT_TIMEOUT, 60);
curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 0);
curl_setopt ($ch, CURLOPT_COOKIEJAR, $cookie);
curl_setopt ($ch, CURLOPT_REFERER, $url . "blog/wordpress/wp-login.php");

curl_setopt ($ch, CURLOPT_POSTFIELDS, $postdata);
curl_setopt ($ch, CURLOPT_POST, 1);
$result = curl_exec ($ch);
curl_close($ch);
echo $result;

exit;

这很好用.它让我登录得很好.

This works fine. It logs me in great.

问题是我相信 WordPress 密钥关闭了 URL.

The problem is that I believe WordPress keys off of the URL.

详细说明，我的握手页面(让我登录)位于blog"目录中，而我的 WordPress 应用程序位于blog"目录内的wordpress"目录中.浏览器中的 URL 为 ..blog/handshake.php.但是，它在浏览器窗口中有 WordPress 的管理部分.WordPress 管理链接现在无法正常工作，因为 URL 在需要位于 ..blog/wordpress/wp-admin 时位于 ../blog 目录中目录.

To elaborate, my handshake page (which logs me in) is in the "blog" directory and my WordPress application is in the "wordpress" directory which sits inside the "blog" directory. The URL in the browser says ..blog/handshake.php. However, it has the Admin section of WordPress in the browser window. WordPress Admin links now do not function correctly, because the URL is in the ../blog directory when it needs to be in the ..blog/wordpress/wp-admin directory.

cURL 中是否有一种方法可以使浏览器中的 URL 反映实际页面?

Is there a way in cURL to make it so that the URL in the browser reflects the actual page?

我应该使用 FSockOPen 吗?

Should I be using FSockOPen instead?

推荐答案

Kalium 做到了这一点——WordPress 界面中的路径是相对的，导致管理界面在以这种方式访问​​时无法正常工作.

Kalium got this right -- paths in the WordPress interface are relative, causing the administration interface to not work properly when accessed in this manner.

你的方法有几个方面的问题，所以我想快速提出一些建议.

Your approach is concerning in a few ways, so I'd like to make a few quick recommendations.

首先，我会尝试找到一种方法来从硬编码中删除 $username 和 $password 变量.想想这有多么容易破解——例如，如果通过管理界面更新密码，代码中的硬编码值将不再正确，并且您的自动登录"现在将失败.此外，如果有人以某种方式组成了该站点并获得了对 handshake.php 的访问权 - 那么，现在他们已经获得了您博客的用户名和密码.

Firstly, I would try to find a way to remove the $username and $password variables from being hard-coded. Think about how easy this is to break -- if the password is updated via the administration interface, for instance, the hard-coded value in your code will no longer be correct, and your "auto-login" will now fail. Furthermore, if someone somehow comprises the site and gains access to handshake.php -- well, now they've got the username and password for your blog.

看起来您的 WordPress 安装与您编​​写的握手脚本位于同一台服务器上，因为 /blog 的路径是相对的(在您的示例代码中).因此，我建议尝试模仿他们在您的父应用程序登录中验证的会话.我过去曾多次这样做过——只是不记得具体细节了.因此，例如，您的登录脚本不仅会设置您的登录凭据，还会设置 WordPress 身份验证所需的会话密钥.

It looks like your WordPress installation rests on the same server as the handshake script you've written, given the path to /blog is relative (in your sample code). Accordingly, I'd suggest trying to mimic the session they validate against in your parent applications login. I've done this several times in the past -- just can't recall the specifics. So, for instance, your login script would not only set your login credentials, but also set the session keys required for WordPress authentication.

这个过程将涉及挖掘大量 WordPress 的代码，但这就是开源的美妙之处！不要使用 cURL 和硬编码值，而是尝试将 WordPress 的身份验证机制简单地集成到您的应用程序的登录机制中.我首先查看 wp-login.php 的源代码，然后从那里开始.

This process will involve digging through a lot of WordPress's code, but thats the beauty of open source! Instead of using cURL and hard-coding values, try to simply integrate WordPress's authentication mechanism into your application's login mechanism. I'd start by looking at the source for wp-login.php and going from there.

如果所有其他方法都失败了，并且您决定不尝试将会话身份验证机制与 WordPress 的会话身份验证机制结合起来，那么您可以通过对代码的这些更改立即解决您的问题(无需修复您的方法中更相关的方面):

If all else fails and you're determined to not try to mesh your session authentication mechanism with that of WordPress, then you could immediately fix your problem (without fixing the more concerning aspects of your approach) with these changes to your code:

首先，添加以下 curl_opt:

First, add the following curl_opt:

curl_setopt($ch, CURLOPT_COOKIEFILE, $cookie);  // Enables session support

然后，在关闭 cURL 处理程序后添加:

Then, add this after closing the cURL handler:

curl_close($ch);
// Instead of echoing the result, redirect to the administration interface, now that the valid, authenticated session has been established
header('location: blog/wordpress/wp-admin/');
die();

因此，在这个不太理想的解决方案中，您将使用 cURL 对用户进行身份验证，然后不要尝试将管理界面劫持到当前页面，而是将它们重定向到常规管理界面.

So, in this less than ideal solution you'd use cURL to authenticate the user, and then rather than attempt to hijack the administration interface into that current page, redirect them to the regular administration interface.

我希望这会有所帮助！如果您需要更多帮助/解决方案不清楚，请告诉我.

I hope this helps! Let me know if you need more help / the solution isn't clear.

这篇关于PHP，cURL 发布以登录 WordPress的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！