Discern between a cURL POST request and normal POST request in PHP

Question

Is there a way to discern if an incoming POST request has been initiated programmatically via cURL, or is a normal HTML POST request?

Can I differentiate between the two in PHP so that I can set a specific condition?

Answer 1

if you mean libcurl , i'm pretty sure the answer is no, it adds no identifying information in it's requests by default.

if you mean curl , yeah it's easy. the default useragent is curl/versionumber (on my system right now its curl/7.52.1)

if(1===preg_match('/^curl\/[\.\d]+/',$_SERVER['HTTP_USER_AGENT']??'')){
//curl's user-agent string. probably curl
} else {
//could be anything (including curl, perhaps with a masked user-agent)
}

a regex may even be overkill, maybe you could just do 0===strpos('curl/',$_SERVER['HTTP_USER_AGENT']??'')

an interesting note is that curl will not execute javascript, so if you add a (hidden?) input tag with javascript, curl will ignore it. like jsInputTag=document.createElement("input");jsInputTag.setAttribute("name","jsInputTag");document.getElementById("form").appendChild(jsInputTag);

curl will not add the jsInputTag to the form (nothing stops a programmer from adding it manually, though.)

but then again, many paranoid people don't run javascript on their browsers either, and most browsers have a way for turning it off.

by the way, if it's an X-Y problem, and what you really need is protection against automated scripts, you should use a captcha, not try to detect curl. for example: ReCaptcha