我有一个nginx的重写规则重定向一个img src属性的PHP页面。在这个PHP页面我试图做一个GET请求，这对成功使POST请求同一个页面，从发送GET请求的数据返回的数据。为什么$ _ POST数据空在PHP脚本？如果我硬code $ NAME =HTTP：//path/to/my/img.png在PHP脚本的正确的图像渲染

 ＆LT; PHP
ini_set（'的display_errors'，1）;
ini_set（'display_startup_errors'，1）;
使用error_reporting（-1）;
后续代码var_dump（$ _ REQUEST）;
//如果（使用isset（$ _ POST ['VAL']））{


  //以二进制方式打开文件

  $名称= $ _ POST ['VAL']; //总是空
  $计划生育=的fopen（$名字，RB）;

  //发出正确的头部
  标题（内容类型：图像/ PNG）;
  标题（内容长度：文件大小（$名））;

  //转储画面和停止脚本
  //回声fpassthru（$ FP）;
  标题（位置：$名）;
  出口;

//}
？＆GT;
＆LT; HTML＆GT;
＆LT; HEAD＆GT;
＆LT;脚本类型=文/ JavaScript的SRC =/窃取/ steal.js'＆GT;＆LT; / SCRIPT＆GT;
＆LT;脚本类型=文/ JavaScript的SRC =/插件/ jQuery的/ json2.js＆GT;＆LT; / SCRIPT＆GT;
＆LT;脚本类型=文/ JavaScript的＆GT;
偷（'jQuery的/ DOM /夹具），然后（函数（）{

$ .fixture（GET /事件/ {code}，函数（原件，设置标题）{
    返回[200，成功，{img_url：的http：//path/to/my/img.png}，{}]
}）

VAR strObj =＆LT;？PHP的回声json_en code（$ _ REQUEST）; ？取代;
VAR海峡= strObj.q;
VAR事件code = str.split（'/'）[1];
$阿贾克斯（{
  网址：/事件/+事件code，
  成功：功能（数据）{
     VAR imgUrl的= data.img_url
     $阿贾克斯（{
        键入：POST，
        的contentType：JSON，
        数据：{VAL：imgUrl的}，
        成功：功能（数据）{
           的console.log（数据）;
        }，
        错误：函数（jqXHR，textStatus，errorThrown）{
           执行console.log（textStatus）;
        }
     }）;
   }
}）;

}）;
＆LT; / SCRIPT＆GT;

＆LT; /头＆GT;
＆LT;身体GT;

＆LT; /身体GT;
＆LT; / HTML＆GT;
 

解决方案

好吧，你已经采取了的东西超出了可能的几个步骤。

当用户点击这个形象在他们的电子邮件，请求被发送到你的服务器请求该图像。没有了JavaScript的是要使其恢复到用户，因为＆LT; IMG＆GT; 标记期望的图像，而不是一个HTML文档。您可以通过一些钉东西向即将离任的要求像

 ＆LT; IMG SRC =htt​​p://yourwebsite.com/tracker.php?val=someimage.png＆GT;
 

和你的脚本就能够得到 VAL 出 $的_ GET 但是你不能够使这个形象POST请求从电子邮件内。

所有的 $ _ REQUEST 数据你要在那里的顶部？这就是你得到的所有的邮件跟踪数据。一切你能离开那里和 $ _ GET 是所有你得到。

之后，你需要给他们回的图像。因此，继承人你如何做到这一点。

  $ VAL = $ _GET [VAL']; //假设VAL包含一个图像

标题（内容类型：图像/ PNG）;
ReadFile的（'/路径/到/您/图片/$ VAL）;
 

请是超级注意，你需要仔细的检查 $ VAL ，以确保它要能够看到只包含图像。潜在恶意用户可以看到这一点，并把类似 tracker.php？VAL = / etc / passwd文件或类似的，然后你有PHP尝试读取你的密码文件的东西。确保存在的图像，甚至可以读可以与 is_readable（） 功能。

I have a nginx rewrite rule that redirects an img src attribute to a php page. Within this php page I'm trying make a GET request, which on success makes a POST request to the same page, sending the data returned from the GET request as the data. Why is the $_POST data empty in the php script? If I hardcode $name = "http://path/to/my/img.png" in the php script the image renders correctly.

<?php 
ini_set('display_errors',1);
ini_set('display_startup_errors',1);
error_reporting(-1);
var_dump($_REQUEST);
//if(isset($_POST['val'])) {


  // open the file in a binary mode

  $name = $_POST['val']; // ALWAYS EMPTY
  $fp = fopen($name, 'rb');

  // send the right headers
  header("Content-Type: image/png");
  header("Content-Length: " . filesize($name));

  // dump the picture and stop the script
  //echo fpassthru($fp);
  header("Location: $name");
  exit;

//}
?>
<html>
<head>
<script type='text/javascript' src='/steal/steal.js'></script>
<script type="text/javascript" src="/plugins/jquery/json2.js"></script>
<script type="text/javascript">
steal('jquery/dom/fixture').then(function(){

$.fixture("GET /event/{code}", function(original, settings, headers){
    return [200, "success", { "img_url":"http://path/to/my/img.png" }, {} ]
})

var strObj = <?php echo json_encode($_REQUEST); ?>;
var str = strObj.q;
var eventCode = str.split('/')[1];
$.ajax({
  url: "/event/"+eventCode,
  success: function(data) {
     var imgUrl = data.img_url
     $.ajax({
        type: 'POST',
        contentType: 'json',
        data: {val:imgUrl},
        success: function(data){
           console.log(data);
        },
        error: function(jqXHR, textStatus, errorThrown){
           console.log(textStatus);
        }
     });
   }
});

});
</script>

</head>
<body>

</body>
</html>

Alright, you've taken things a few steps beyond what is possible.

When the user hits this image in their email, a request is sent to your server asking for that image. None of that javascript is going to make it back to the user because the <img> tag is expecting an image, not an html document. You can tack things on to the outgoing request via something like

<img src="http://yourwebsite.com/tracker.php?val=someimage.png">

and your script will be able to get val out of $_GET but you won't be able to make a POST request for this image from inside an email.

All that $_REQUEST data you're getting at the top there? That's where you get all your email tracking data from. Everything you can get out of there and $_GET is all you're getting.

Afterwards, you need to give them back an image. So heres how you do that.

$val = $_GET['val']; // assuming val contains an image

header('Content-Type: image/png');
readfile('/path/to/your/images/'. $val);

Please be super aware that you need to sanity check $val to make sure its only containing images that you want to be able to see. A potentially malicious user could see this and put something like tracker.php?val=/etc/passwd or something similar and then you've got PHP trying to read your password file. Making sure that images exist and can even be read can be done with the is_readable() function.