php://stdin, php://stdout and php://stderr allow direct access to the corresponding input or output stream of the PHP process. The stream references a duplicate file descriptor, so if you open php://stdin and later close it, you close only your copy of the descriptor--the actual stream referenced by STDIN is unaffected. Note that PHP exhibited buggy behavior in this regard until PHP 5.2.1. It is recommended that you simply use the constants STDIN, STDOUT and STDERR instead of manually opening streams using these wrappers.
php://output allows you to write to the output buffer mechanism in the same way as print() and echo().
php://input allows you to read raw POST data. It is a less memory intensive alternative to $HTTP_RAW_POST_DATA and does not need any special php.ini directives. php://input is not available with enctype="multipart/form-data".
Note: php://input can only be read once.
php://stdin and php://input are read-only, whereas php://stdout, php://stderr and php://output are write-only.
php://filter is a kind of meta-wrapper designed to permit the application of filters to a stream at the time of opening. This is useful with all-in-one file functions such as readfile(), file(), and file_get_contents() where there is otherwise no opportunity to apply a filter to the stream prior the contents being read.
The php://filter target takes the following 'parameters' as parts of its 'path'.
/resource=<stream to be filtered> (required) This parameter must be located at the end of your php://filter specification and should point to the stream which you want filtered.
<?php
/* This is equivalent to simply:
readfile("http://www.example.com");
since no filters are actually specified */
readfile("php://filter/resource=http://www.example.com");
?>
/read=<filter list to apply to read chain> (optional) This parameter takes one or more filternames separated by the pipe character |.
<?php
/* This will output the contents of
www.example.com entirely in uppercase */
readfile("php://filter/read=string.toupper/resource=http://www.example.com");
/* This will do the same as above
but will also ROT13 encode it */
readfile("php://filter/read=string.toupper|string.rot13/resource=http://www.example.com");
?>
/write=<filter list to apply to write chain> (optional) This parameter takes one or more filternames separated by the pipe character |.
<?php
/* This will filter the string "Hello World"
through the rot13 filter, then write to
example.txt in the current directory */
file_put_contents("php://filter/write=string.rot13/resource=example.txt","Hello World");
?>
The php://memory wrapper stores the data in the memory. php://temp behaves similarly, but uses a temporary file for storing the data when a certain memory limit is reached (the default is 2 MB).
The php://temp wrapper takes the following 'parameters' as parts of its 'path':
/maxmemory:<number of bytes> (optional). This parameter allows changing the default value for the memory limit (when the data is moved to a temporary file).
<?php
$fiveMBs = 5 * 1024 * 1024;
$fp = fopen("php://temp/maxmemory:$fiveMBs", 'r+');
fputs($fp, "hello\n");
// read what we have written
rewind($fp);
echo stream_get_contents($fp);
?>
Attribute | Supported |
---|---|
Restricted by allow_url_fopen | No |
Restricted by allow_url_include | php://input, php://stdin, php://memory and php://temp only. |
Allows Reading | php://stdin, php://input, php://memory and php://temp only. |
Allows Writing | php://stdout, php://stderr, php://output, php://memory and php://temp only. |
Allows Appending | php://stdout, php://stderr, php://output, php://memory and php://temp only. (Equivalent to writing) |
Allows Simultaneous Reading and Writing | php://memory and php://temp only. |
Supports stat() | php://memory and php://temp only. |
Supports unlink() | No |
Supports rename() | No |
Supports mkdir() | No |
Supports rmdir() | No |
Supports stream_select() | php://stdin, php://stdout, php://stderr and php://temp. |