Using curl to test POST data: Difference between revisions

Revision as of 20:31, 24 April 2013

Basic request passing variables as POST

Use --data or -d option to pass variables to the page.

$ curl -d "user=mylogin&pass=mypass&foo=bar&biz=bash" http://www.mydomain.com/mypage/

Request using basic authentication

Use --user or -u option.

$ curl -u mylogin:mypass -d "user=mylogin&pass=mypass&foo=bar&biz=bash" http://www.mydomain.com/mypage/

Request using Windows integrated authentication

Add --ntlm option.

$ curl -u mylogin:mypass --ntlm -d "user=mylogin&pass=mypass&foo=bar&biz=bash" http://www.mydomain.com/mypage/

Special characters in username or password

Escape special characters with back slash.

$ curl -u mylogin:myp\&ss --ntlm -d "user=mylogin&pass=mypass&foo=bar&biz=bash" http://www.mydomain.com/mypage/

Storing arguments in a text file

Content of file, saved as curlargs.txt:

-d foo=bar&biz=bash http://localhost/mytestpage.html

Run curl using contents of curlargs.txt (in a bash shell):

$ cat curlargs.txt | xargs -n3 curl

Handling quotes in POST data

Problem: The value of the -d or --data argument (typically a JSON string) contains either a single or double quote:

# Error is thrown when it hits the first quote in the ''title'' string.
curl -d '{ "id": "6650", "title": "A record title containing 'quotes'."}' http://mydomain.com/path/to/page/

Solution: Use the @ character to read the data from a separate file.

Curl arguments stored in curargs.txt:

-d @jsondata.txt http://mydomain.com/path/to/page/

Contents of jsondata.txt:

{ "id": "6650", "title": "A record title containing 'quotes'."}

Then pass the contents of the two files to curl with

$ cat curlargs.txt | xargs -n3 curl

Sending POST requests to Django projects

Because of Cross Site Request Forgery protection in Django, POST requests have to include a CSRF token generated by the Django app.

It's not really practical or safe to generate the token so it can be used with curl.

Instead right above the Django view that is being called, place an CSRF exemption:

from django.views.decorators.csrf import csrf_exempt

@csrf_exempt
def my_view(request):
    return HttpResponse('Hello world')

It's possible to pass the token with curl:

curl
 -X POST
 -d "email=test@test.com&a=1&csrfmiddlewaretoken=<inserttoken>"
 --cookie "csrftoken=[as above]"
 http://127.0.0.1:8083/registrations/register/

It's also possible to use --header "X-CSRFToken: <token>" instead of including it in the form data.

@@ Line 14: / Line 14: @@
 $ curl -u mylogin:mypass --ntlm -d "user=mylogin&pass=mypass&foo=bar&biz=bash" http://www.mydomain.com/mypage/
 </syntaxhighlight>
-==Special characters in username or password==
+== Special characters in username or password ==
 Escape special characters with back slash.
 <syntaxhighlight lang="bash">
@@ Line 54: / Line 56: @@
 $ cat curlargs.txt | xargs -n3 curl
 </syntaxhighlight>
+== Sending POST requests to Django projects ==
+Because of [https://docs.djangoproject.com/en/dev/ref/contrib/csrf/ Cross Site Request Forgery protection] in Django, POST requests have to include a CSRF token generated by the Django app.
+It's not really practical or safe to generate the token so it can be used with `curl`.
+Instead right above the Django view that is being called, place an CSRF exemption:
+<syntaxhighlight lang="python">
+from django.views.decorators.csrf import csrf_exempt
+@csrf_exempt
+def my_view(request):
+    return HttpResponse('Hello world')
+</syntaxhighlight>
+It's possible to pass the token with `curl`:
+<syntaxhighlight lang="bash">
+curl
+ -X POST
+ -d "email=test@test.com&a=1&csrfmiddlewaretoken=<inserttoken>"
+ --cookie "csrftoken=[as above]"
+ http://127.0.0.1:8083/registrations/register/
+</syntaxhighlight>
+It's also possible to use `--header "X-CSRFToken: <token>"` instead of including it in the form data.
 [[Category:Web Development]]