php $_POST array empty upon form submission

I have a custom Content Management System (CMS) I've built that works perfectly on my dev box (Ubuntu/PHP5+/MySQL5+).

I just moved it up to the production box for my client and now all form submissions are showing up as empty $_POST arrays.

I found a trick to verify the data is actually being passed using file_get_contents('php://input'); and the data is showing up fine there -- the $_POST/$_REQUEST arrays are always empty.

I've also verified the content-type headers are correct as well via firebug (application/x-www-form-urlencoded; charset=utf-8).

This issue is happening regardless of whether a form is submitting via AJAX or a regular form submit.

Any help is greatly appreciated!

When using JSON content-type the $_POST array will not populate (only with multi-part forms I believe)

Here is how I correct the issue:

$_POST = json_decode(file_get_contents("php://input"), true);

Here's another possible cause -- my form was submitting to domain.com without the WWW. and I had set up an automatic redirect to add the "WWW." The $_POST array was getting emptied in the process. So to fix it all I had to do was submit to www.domain.com

I had a similar problem. Turned out to be a simple fix. In the form I had

> <form action="directory" method="post">

where directory was the name of... the directory. My POST array was totally empty. When I looked at the url in my browser, it was displayed with a forward slash on the end.

Adding the forward slash to the end of my action did the trick - > <form action="directory/" method="post">

My $_POST array was full again!

Make sure that, in php.ini:

• track_vars (it's only available on very old PHP versions) is set to On
• variables_order contains the letter P
• post_max_size is set to a reasonable value (e.g. 8 MB)
• (if using suhosin patch) suhosin.post.max_vars and suhosin.request.max_vars are large enough.

I suppose the second suggestion of mine will solve your problem.

I've found that when posting from HTTP to HTTPS, the $_POST comes empty. This happened while testing the form, but took me a while until I realize that.

I came across a similar yet slightly different issue and it took 2 days to understand the issue.

• In my case also POST array was empty.

• Then checked with file_get_contents('php://input'); and that was also empty.

Later I found that browser wasnt asking confirmation for resubmitting form data after If I refresh the page loaded after POST submission. It was directly refreshing page. But when I changed form URL to a different one it was passing POST properly and asked for resubmitting data when attempted to refresh page.

Then I checked what is wrong with actual URL . There were no fault with URL, however it was pointing to a folder without index.php in URL and I was checking POST at index.php.

Here I doubted the redirection from / to /index.php causes POST data to be lost and tested URL with appending index.php to the URL.

That Worked.

Posted it here so someone would find it helpful.

If you are posting to a index.php file in a directory for example /api/index.php make sure in your form you specify the full directory to the file e.g

This

<form method="post" action="/api/index.php"> 
</form>

OR

<form method="post" action="/api/"> 
</form>

works.

But this fails

<form method="post" action="/api"> 
</form>

I could solve the problem using enctype="application/x-www-form-urlencoded" as the default is "text/plain". When you check in $DATA the seperator is a space for "text/plain" and a special character for the "urlencoded".

Kind regards Frank

Having the enable_post_data_reading setting disabled will cause this. According to the documentation:

> enable_post_data_reading > >Disabling this option causes $_POST and $_FILES not to be populated. The only way to read postdata will then be through the php://input stream wrapper. This can be useful to proxy requests or to process the POST data in a memory efficient fashion.

<form action="test.php" method="post">
                        ^^^^^^^^^^^^^

Okay, this was stupid and I will be embarassing myself in public, but I knocked up a little test script for something in PHP and when my $_POST array was empty, StackOverflow is the first place I looked and I didn't find the answer I needed.

I had only written

<form action="test.php">

and forgotten to specify the method as being POST!

I am sure someone will snigger, but if this helps someone else who does the same thing, then I don't mind! We all do it from time to time!

Don't have an elegant solution at this point but wanted to share my findings for the future reference of others who encounter this problem. The source of the problem was 2 overriden php values in an .htaccess file. I had simply added these 2 values to increase the filesize limit for file uploads from the default 8MB to something larger -- I observed that simply having these 2 values in the htaccess file at all, whether larger or smaller than the default, caused the issue.

php_value post_max_size xxMB
php_value upload_max_filesize xxMB

I added additional variables to hopefully raise the limits for all the suhosin.post.xxx/suhosin.upload.xxx vars but these didn't have any effect with this problem unfortunately.

In summary, I can't really explain the "why" here, but have identified the root cause. My feeling is that this is ultimately a suhosin/htaccess issue, but unfortunately one that I wasn't able to resolve other than to remove the 2 php overridden values above.

Hope this helps someone in the future as I killed a handful of hours figuring this out. Thanks to all who took the time to help me with this (MrMage, Andrew)

In my case, when posting from HTTP to HTTPS, the $_POST comes empty. The problem was, that the form had an action like this //example.com When I fixed the url to https://example.com, the problem disappeared.

same issue here!

i was trying to connect to my local server code via post request in postman, and this problem wasted my time alot!

for anyone who uses local project (e.g. postman): use your IPv4 address (type ipconfig in cmd) instead of the "localhost" keyword. in my case:

before:

localhost/app/login

after:

192.168.1.101/app/login

Make sure that the name property of each field is defined.

This create you an empty POST on PHP

<input type="text" id="Phone">

But, this will work

<input type="text" name="Phone" id="Phone">

I had the same problem. The problem was .htaccess.

I have a HTTPS rewrite rule and was sending the post requests to http:// instead of https://. The post request cleared due to redirect.

REFERENCE: http://www.openjs.com/articles/ajax_xmlhttp_using_post.php

POST method

We are going to make some modifications so POST method will be used when sending the request...

var url = "get_data.php";
var params = "lorem=ipsum&name=binny";
http.open("POST", url, true);

//Send the proper header information along with the request
http.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
http.setRequestHeader("Content-length", params.length);
http.setRequestHeader("Connection", "close");

http.onreadystatechange = function() {//Call a function when the state changes.
  if(http.readyState == 4 && http.status == 200) {
    alert(http.responseText);
  }
}
http.send(params);

Some http headers must be set along with any POST request. So we set them in these lines...

http.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
http.setRequestHeader("Content-length", params.length);
http.setRequestHeader("Connection", "close");

With the above lines we are basically saying that the data send is in the format of a form submission. We also give the length of the parameters we are sending.

http.onreadystatechange = function() {//Call a function when the state changes.
  if(http.readyState == 4 && http.status == 200) {
    alert(http.responseText);
  }
}

We set a handler for the 'ready state' change event. This is the same handler we used for the GET method. You can use the http.responseText here - insert into a div using innerHTML(AHAH), eval it(JSON) or anything else.

http.send(params);

Finally, we send the parameters with the request. The given url is loaded only after this line is called. In the GET method, the parameter will be a null value. But in the POST method, the data to be send will be send as the argument of the send function. The params variable was declared in the second line as lorem=ipsum&name=binny - so we send two parameters - 'lorem' and 'name' with the values 'ipsum' and 'binny' respectively.

I know this is old, but wanted to share my solution.

In my case the issue was in my .htaccess as I added variables to raise my PHP's max upload limit. My code was like this:

php_value post_max_size 50MB
php_value upload_max_filesize 50MB

Later I notice that the values should like xxM not xxMB and when I changed it to:

php_value post_max_size 50M
php_value upload_max_filesize 50M

now my $_POST returned the data as normal before. Hope this helps someone in the future.

For me, .htaccess was redirecting when mod_rewrite wasn't installed. Install mod_rewite and all is fine.

Specifically:

<IfModule !mod_rewrite.c>
  ErrorDocument 404 /index.php
</Ifmodule>

was executing.

In my case it was because I was using jQuery to disable all inputs on the page just before using jQuery to submit the form. So I changed my "disable every input even the 'hidden' types":

$(":input").attr("disabled","disabled"); 

to "disable only the 'button' type inputs":

$('input[type=button]').attr('disabled',true);

This was so the user couldn't accidentally hit the 'go' button twice and hose up our DB! It seems that if you put the 'disabled' attribute on a 'hidden' type form input their values won't be sent over if the form is submitted!

I just spent hours to fix a similar issue. The problem in my case, was the the

max_input_vars = "1000"

by default, in the php.ini. I had a really huge form without uploads. php.ini is set to upload_max_filesize = "100M" and post_max_size = "108M" and it was surely not the issue in my case. PHP behavior is the same for max_input_vars when it exceeds 1000 variables in the form. It returns and empty _POST array. I wish I could have found that one hours, and hours ago.

Another simple reason for an empty POST array can be caused by not closing a form with and then adding a second

...

. When the second form is submitted the POST array will be empty.

In addition to MRMage's post:

I had to set this variable to solve the problem that some $_POST variables (with an large array > 1000 items) disappeared:

suhosin.request.max_vars = 2500

"request", not "post" was the solution...

I was getting the following error from Mod Security:

Access denied with code 500 (phase 2). Pattern match "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\'.*\'.*,[0-9].*INTO.*FROM)" at REQUEST_BODY. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "345"] [id "300013"] [rev "1"] [msg "Generic SQL injection protection"] [severity "CRITICAL"]

Once I removed my mod security configuration to test, it all worked as expected. Now I just need to modify my rules to stay secure but flexible enough for my needs :)

Not the most convenient solution perhaps, but I figured it out that if I set the form action attribute to the root domain, index.php can be accessed and gets the posted variables. However if I set a rewritten URL as action, it does not work.

This is sort of similar to what @icesar said.

But I was trying to post stuff to my api, located in site/api/index.php, only posting to site/api since it gets passed on to index.php by itself. This however, apparently cause something to get messed up, as my $_POST got emptied on the fly. Simply posting to site/api/index.php directly instead solved it.

My problem was that I was using the HTML <base> tag to change the base URL of my test site. Once I removed that tag from the header, the $_POST data came back.

In my case (php page on OVH mutualisé server) enctype="text/plain" does not work ($_POST and corresponding $_REQUEST is empty), the other examples below work. `

<form action="?" method="post">
<!-- in this case, my google chrome 45.0.2454.101 uses -->
<!--     Content-Type:application/x-www-form-urlencoded -->
    <input name="say" value="Hi">
    <button>Send my greetings</button>
</form>

<form action="?" method="post" enctype="application/x-www-form-urlencoded">
    <input name="say" value="Hi">
    <button>Send my application/x-www-form-urlencoded greetings</button>
</form>

<form action="?" method="post"  enctype="multipart/form-data">
    <input name="say" value="Hi">
    <button>Send my multipart/form-data greetings</button>
</form>

<form action="?" method="post" enctype="text/plain"><!-- not working -->
    <input name="say" value="Hi">
    <button>Send my text/plain greetings</button>
</form>

`

More here: https://stackoverflow.com/questions/7628249/method-post-enctype-text-plain-are-not-compatible

Make sure you use name="your_variable_name" in input tag.

I mistakenly use id="your_variable_name".

I spent much time to catch the bug.

I run into the same issue also when I migrated to new server. setting the value for post_max_size in the php.ini file fixed my issue.

OK, I thought that I should put my case here .... I was getting the post array empty in specific cases .. The form works well, but some times users complain that they hit submit button, and nothing happens ..... After digging for a while, I discovered that my hosting company has a security module that checks users inputs and clears the whole post array (not only the malicious data) if it discovers so. In my example, a math teacher was trying to enter the equation: dy + dx + 0 = 0; and data was wiped completely.

To fix this, I just advise him now to enter the data in the text area as dy + dx + 0 = zero, and now it works .... This can save someone some time ..