php:// —Accessing various I/O streams
PHP provides a number of miscellaneous I/O streams that allow access to PHP's own input and output streams, the standard input, output and error file descriptors, in-memory and disk-backed temporary file streams, and filters that can manipulate other file resources as they are read from and written to.
php://stdin,php://stdout andphp://stderr allow direct access to the corresponding input or output stream of the PHP process. The stream references a duplicate file descriptor, so if you openphp://stdin and later close it, you close only your copy of the descriptor-the actual stream referenced bySTDIN is unaffected. It is recommended that you simply use the constantsSTDIN,STDOUT andSTDERR instead of manually opening streams using these wrappers.
php://stdin is read-only, whereasphp://stdout andphp://stderr are write-only.
php://input is a read-only stream that allows you to read raw data from the request body.php://input is not available in POST requests withenctype="multipart/form-data" ifenable_post_data_reading option is enabled.
php://output is a write-only stream that allows you to write to the output buffer mechanism in the same way asprint andecho.
php://fd allows direct access to the given file descriptor. For example,php://fd/3 refers to file descriptor 3.
php://memory andphp://temp are read-write streams that allow temporary data to be stored in a file-like wrapper. One difference between the two is thatphp://memory will always store its data in memory, whereasphp://temp will use a temporary file once the amount of data stored hits a predefined limit (the default is 2 MB). The location of this temporary file is determined in the same way as thesys_get_temp_dir() function.
The memory limit ofphp://temp can be controlled by appending/maxmemory:NN, whereNN is the maximum amount of data to keep in memory before using a temporary file, in bytes.
Some PHP extensions may require a standard IO stream, and may attempt to cast a given stream to a standard IO stream. This cast can fail for memory streams as it requires the Cfopencookie() function to be available. This C function isnot available on Windows.
php://filter is a kind of meta-wrapper designed to permit the application offilters to a stream at the time of opening. This is useful with all-in-one file functions such asreadfile(),file(), andfile_get_contents() where there is otherwise no opportunity to apply a filter to the stream prior the contents being read.
Thephp://filter target takes the following parameters as part of its path. Multiple filter chains can be specified on one path. Please refer to the examples for specifics on using these parameters.
| Name | Description |
|---|---|
resource=<stream to be filtered> | This parameter is required. It specifies the stream that you would like to filter. |
read=<filter list to apply to read chain> | This parameter is optional. One or more filter names can be provided here, separated by the pipe character (|). |
write=<filter list to apply to write chain> | This parameter is optional. One or more filter names can be provided here, separated by the pipe character (|). |
<filter list to apply to both chains> | Any filter lists which are not prefixed byread= orwrite= will be applied to both the read and write chains as appropriate. |
| Attribute | Supported |
|---|---|
| Restricted byallow_url_fopen | No |
| Restricted byallow_url_include | php://input,php://stdin,php://memory andphp://temp only. |
| Allows Reading | php://stdin,php://input,php://fd,php://memory andphp://temp only. |
| Allows Writing | php://stdout,php://stderr,php://output,php://fd,php://memory andphp://temp only. |
| Allows Appending | php://stdout,php://stderr,php://output,php://fd,php://memory andphp://temp only. (Equivalent to writing) |
| Allows Simultaneous Reading and Writing | php://fd,php://memory andphp://temp only. |
| Supportsstat() | No. However,php://memory andphp://temp supportfstat(). |
| Supportsunlink() | No |
| Supportsrename() | No |
| Supportsmkdir() | No |
| Supportsrmdir() | No |
| Supportsstream_select() | php://stdin,php://stdout,php://stderr,php://fd andphp://temp only. |
Example #1 php://temp/maxmemory
This optional parameter allows setting the memory limit beforephp://temp starts using a temporary file.
<?php
// Set the limit to 5 MB.
$fiveMBs=5*1024*1024;
$fp=fopen("php://temp/maxmemory:$fiveMBs",'r+');
fputs($fp,"hello\n");
// Read what we have written.
rewind($fp);
echostream_get_contents($fp);
?>Example #2 php://filter/resource=<stream to be filtered>
This parameter must be located at the end of yourphp://filter specification and should point to the stream which you want filtered.
<?php
/* This is equivalent to simply:
readfile("http://www.example.com");
since no filters are actually specified */
readfile("php://filter/resource=http://www.example.com");
?>Example #3 php://filter/read=<filter list to apply to read chain>
This parameter takes one or more filternames separated by the pipe character|.
<?php
/* This will output the contents of
www.example.com entirely in uppercase */
readfile("php://filter/read=string.toupper/resource=http://www.example.com");
/* This will do the same as above
but will also ROT13 encode it */
readfile("php://filter/read=string.toupper|string.rot13/resource=http://www.example.com");
?>Example #4 php://filter/write=<filter list to apply to write chain>
This parameter takes one or more filternames separated by the pipe character|.
<?php
/* This will filter the string "Hello World"
through the rot13 filter, then write to
example.txt in the current directory */
file_put_contents("php://filter/write=string.rot13/resource=example.txt","Hello World");
?>Example #5 php://memory and php://temp are not reusable
php://memory andphp://temp are not reusable, i.e. after the streams have been closed there is no way to refer to them again.
<?php
file_put_contents('php://memory','PHP');
echofile_get_contents('php://memory');// prints nothingExample #6 php://input to read JSON data from the request body
This example demonstrates how to read raw JSON data from POST, PUT and PATCH requests usingphp://input.
<?php
$input=file_get_contents("php://input");
$json_array=json_decode(
json:$input,
associative:true,
flags:JSON_THROW_ON_ERROR
);
echo"Received JSON data: ";
print_r($json_array);
?>