Make Multiple POSTs using PHP in cURL

Question

I am attempting to login into my Elance account using cURL in PHP. I successfully login through the first login form. However, you have to answer a security question on the next page. I am trying to POST the answer and submit the form, however, I cannot get it to POST and submit the form. I am trying to do this in 1 .php file. Does the 2nd POST need to be done in a separate file or can it be done in the same file? Here is my code:

<?php

$username = 'Blah';
$password = 'BlahBlah';
$useragent = $_SERVER["HTTP_USER_AGENT"];
$postdata="lnm=$username&pwd=$password";
$postdata_2 = "challengeAnswer=Secret";

$ch = curl_init();

//Main Login
curl_setopt ($ch, CURLOPT_URL,"https://www.elance.com/php/landing/main/login.php");
curl_setopt ($ch, CURLOPT_HEADER, true);
curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt ($ch, CURLOPT_USERAGENT, $useragent);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_COOKIEJAR, 'cookie.txt');
curl_setopt ($ch, CURLOPT_COOKIEFILE, 'cookie.txt');
curl_setopt ($ch, CURLOPT_REFERER, "https://www.elance.com/php/landing/main/login.php");
curl_setopt ($ch, CURLOPT_POSTFIELDS, $postdata);
curl_setopt ($ch, CURLOPT_POST, 1);
$result = curl_exec($ch);



//Security Question
curl_setopt($ch, CURLOPT_URL, "https://www.elance.com/php/trust/main/securityAudit.php?timestamp=1369701194&userid=4312662&saamode=NCR&hash=b5523cd532c401e374c8a06e6d2fbfa39ac82387&ncr_persisid=643029635&kmsi=&redirect=https%3A%2F%2Fwww.elance.com%2Fphp%2Fmyelance%2Fmain%2Findex.php%3Fredirect%3Dhttps%253A%252F%252Fwww.elance.com%252Fmyelance");
curl_setopt ($ch, CURLOPT_HEADER, true);
curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt ($ch, CURLOPT_USERAGENT, $useragent);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_COOKIEJAR, 'cookie.txt');
curl_setopt ($ch, CURLOPT_COOKIEFILE, 'cookie.txt');
curl_setopt ($ch, CURLOPT_REFERER, "https://www.elance.com/php/trust/main/securityAudit.php?timestamp=1369701194&userid=4312662&saamode=NCR&hash=b5523cd532c401e374c8a06e6d2fbfa39ac82387&ncr_persisid=643029635&kmsi=&redirect=https%3A%2F%2Fwww.elance.com%2Fphp%2Fmyelance%2Fmain%2Findex.php%3Fredirect%3Dhttps%253A%252F%252Fwww.elance.com%252Fmyelance");
curl_setopt ($ch, CURLOPT_POSTFIELDS, $postdata_2);
curl_setopt ($ch, CURLOPT_POST, 1);

$result_2 = curl_exec($ch);

echo $result_2;

curl_close($ch);

?>

I have tried several different ways but none of them seem to work. I need help making the 2nd POST command.

Answer 1

I can see timestamps and hashes on the paremeters of the second cURL

curl_setopt($ch, CURLOPT_URL, "https://www.elance.com/php/trust/main/securityAudit.php?timestamp=1369701194&userid=4312662&saamode=NCR&hash=b5523cd532c401e374c8a06e6d2fbfa39ac82387&ncr_persisid=643029635&kmsi=&redirect=https%3A%2F%2Fwww.elance.com%2Fphp%2Fmyelance%2Fmain%2Findex.php%3Fredirect%3Dhttps%253A%252F%252Fwww.elance.com%252Fmyelance");

That means for every request you are attempting from the first cURL, a new unique URL is created and that url will be the only one valid to attempt to post using your second cURL. You cant just copy and paste a url of the second "security question" screen to your second cURL because every time will has other timestamp and/or hashes.

You cannot just hardcode a url with timestamp/hash. It will be discarded from that site's server. you need somehow to obtain that url on-the-fly and use it in your second POST

Also there could be a "http referer" check in place.

Answer 2

if( $curl = curl_init() ) {
    curl_setopt($curl, CURLOPT_URL, 'http://your-domain.com/file.php');
    curl_setopt($curl, CURLOPT_RETURNTRANSFER,true);
    curl_setopt($curl, CURLOPT_POST, true);
    curl_setopt($curl, CURLOPT_POSTFIELDS, "text=test");
    $out = curl_exec($curl);
    echo $out;
    curl_close($curl);
  }

After than you can get text variable in http://your-domain.com/file.php by $_POST['text'];