PHP Curl Twitter Check if data is correct

Asked

Viewed 277 times

-1

I was able to do what I wanted, but how do I check to see if the user data is correct?

In the previous question I asked how to get all cookies if really the user and password exists on Twitter, I managed to do this with the code I will put here.

But how do I verify that the data is correct?

If it shows the message: Correct login and password, otherwise show me Incorrect login and password.

My code:

<?php

$username = 'pdosilva1020';
$password = '';

function start($username, $password) {
    $request = curl_init();
    curl_setopt_array($request, [
            CURLOPT_URL                         => 'https://twitter.com',
            CURLOPT_CUSTOMREQUEST       => 'GET',
            CURLOPT_RETURNTRANSFER  => true,
            CURLOPT_SSL_VERIFYPEER  => false,
            CURLOPT_SSL_VERIFYHOST  => false,
            CURLOPT_HEADER                  => true,
            CURLOPT_COOKIEJAR               => getcwd() . '/cookies/' . $username . '.txt',
            CURLOPT_USERAGENT               => $_SERVER['HTTP_USER_AGENT'],
            CURLOPT_HEADERFUNCTION  => function($curl, $header) use (&$cookie) {
                if (stripos($header, 'Set-Cookie:') === 0) {
                    if (preg_match('/^Set-Cookie: \s*([^;]*)/i', $header, $matches)) {
                        $cookie .= $matches[1] . '; ';
                    }
                }
                return strlen($header);
            }
        ]
    );
    $response = curl_exec($request);

    preg_match('/value="(.*?)" name="authenticity_token"/', $response, $matches);

    $authenticity_token = $matches[1];

    $post_fields = http_build_query([
        'session' => [
            'username_or_email' => $username,
            'password'                  => $password
        ],
            'return_to_ssl'                 => true,
            'scribe_log'                        => '',
            'redirect_after_login'  => '/',
            'authenticity_token'        => $authenticity_token
        ]
    );

    curl_setopt_array($request, [
            CURLOPT_URL                         => 'https://twitter.com/sessions',
            CURLOPT_CUSTOMREQUEST       => 'POST',
            CURLOPT_POSTFIELDS          => $post_fields,
            CURLOPT_RETURNTRANSFER  => true,
            CURLOPT_SSL_VERIFYPEER  => false,
            CURLOPT_SSL_VERIFYHOST  => false,
            CURLOPT_HEADER                  => true,
            CURLOPT_FOLLOWLOCATION  => true,
            CURLOPT_COOKIE                  => $cookie,
            CURLOPT_USERAGENT               => $_SERVER['HTTP_USER_AGENT'],
            CURLOPT_HTTPHEADER          => [
                'accept-language: pt-BR,pt;q=0.8,en-US;q=0.6,en;q=0.4',
                'content-type: application/x-www-form-urlencoded',
                'origin: https://twitter.com',
                'referer: https://twitter.com/login',
            ],
        ]
    );

    $response = curl_exec($request);
    curl_close($request);

}

var_dump(start($username, $password));
  • 3

    You left your user and password exposed in the code and still published here.

2 answers

1

The most solution simple that I found was the following, in the curl who gets mine post:

curl_setopt_array($request, [
        CURLOPT_URL                         => 'https://twitter.com/sessions',
        CURLOPT_CUSTOMREQUEST       => 'POST',
        CURLOPT_POSTFIELDS          => $post_fields,
        CURLOPT_RETURNTRANSFER  => true,
        CURLOPT_SSL_VERIFYPEER  => false,
        CURLOPT_SSL_VERIFYHOST  => false,
        CURLOPT_HEADER                  => true,
        CURLOPT_FOLLOWLOCATION  => true,
        // CURLOPT_COOKIE                   => $cookiesOBJ->cookies,
        CURLOPT_USERAGENT               => $_SERVER['HTTP_USER_AGENT'],
        CURLOPT_HTTPHEADER          => [
            'accept-language: pt-BR,pt;q=0.8,en-US;q=0.6,en;q=0.4',
            'content-type: application/x-www-form-urlencoded',
            'origin: https://twitter.com',
            'referer: https://twitter.com/login',
        ],
    ]
);

$response = curl_exec($request);
curl_close($request);

I let CURLOPT_HEADER => false was as true, and soon after I returned in json:

if ($response === '') {
    echo json_encode([
            'error'     => false,
            'message'   => 'Logado com sucesso, aguarde...'
        ]
    );
} else {
    echo json_encode([
            'error'     => true,
            'message'   => 'Usuário e/ou Senha incorretos'
        ]
    );
}

Leaving the CURLOPT_HEADER as false returns me a body of errors, if I am wrong data, if I am right returns me a string empty, string = '',

0


I believe that to answer this simply you miss and hit your password on Twitter and see the difference in responses.

Based on this, the difference between the right and wrong password is that:

If you know how the CURLOPT_HEADERFUNCTION works, then knows how to get the "Location" through it.


I recommend that read the documentation, instead of Ctrl+C, Ctrl+V has no idea what its code is doing. Your code already uses the resource that could be used for this purpose.

As an example, you could use:

    CURLOPT_HEADERFUNCTION  => function($curl, $header) use (&$cookie, &$location) {
        if (stripos($header, 'Set-Cookie:') === 0) {
            if (preg_match('/^Set-Cookie: \s*([^;]*)/i', $header, $matches)) {
                $cookie .= $matches[1] . '; ';
            }
        }

        if (stripos($header, 'Location:') === 0) {
            $location = trim(str_ireplace('Location:', '', trim($header)));
        }

        return strlen($header);
    }

Now you have the $location, it must be defined previously as $location = ''. This should be done on your second request, obviously, because it is he who logs in.

So you can do:

$location = trim(explode('?', $location)[0], '/');

switch ($location) {
    case 'https://twitter.com':
        echo 'Tudo certo';
        break;
    case 'https://twitter.com/account/access':
        echo 'Conta bloqueada';
        break;
    case 'https://twitter.com/account/login_verification':
        echo 'Conta exige 2FA';
        break;
    default:
        echo 'Senha inválida';
        break;
}

This is one of the million possibilities you have. Of course you should turn off the CURLOPT_FOLLOWLOCATION, or it will follow the path and return a different value.


In the end you’ll be like:

function start($username, $password)
{
    $request = curl_init();
    $cookie = '';
    $location = '';

    curl_setopt_array($request, [
            CURLOPT_URL => 'https://twitter.com',
            CURLOPT_CUSTOMREQUEST => 'GET',
            CURLOPT_RETURNTRANSFER => true,
            CURLOPT_SSL_VERIFYPEER => false,
            CURLOPT_SSL_VERIFYHOST => false,
            CURLOPT_HEADER => true,
            CURLOPT_COOKIEJAR => getcwd() . '/cookies/' . $username . '.txt',
            CURLOPT_USERAGENT => $_SERVER['HTTP_USER_AGENT'],
            CURLOPT_HEADERFUNCTION => function ($curl, $header) use (&$cookie) {
                if (stripos($header, 'Set-Cookie:') === 0) {
                    if (preg_match('/^Set-Cookie: \s*([^;]*)/i', $header, $matches)) {
                        $cookie .= $matches[1] . '; ';
                    }
                }
                return strlen($header);
            }
        ]
    );
    $response = curl_exec($request);

    preg_match('/value="(.*?)" name="authenticity_token"/', $response, $matches);

    $authenticity_token = $matches[1];

    $post_fields = http_build_query([
            'session' => [
                'username_or_email' => $username,
                'password' => $password
            ],
            'return_to_ssl' => true,
            'scribe_log' => '',
            'redirect_after_login' => '/',
            'authenticity_token' => $authenticity_token
        ]
    );

    curl_setopt_array($request, [
            CURLOPT_URL => 'https://twitter.com/sessions',
            CURLOPT_CUSTOMREQUEST => 'POST',
            CURLOPT_POSTFIELDS => $post_fields,
            CURLOPT_RETURNTRANSFER => true,
            CURLOPT_SSL_VERIFYPEER => false,
            CURLOPT_SSL_VERIFYHOST => false,
            CURLOPT_FOLLOWLOCATION => false,
            CURLOPT_COOKIE => $cookie,
            CURLOPT_USERAGENT => $_SERVER['HTTP_USER_AGENT'],
            CURLOPT_HEADERFUNCTION => function ($curl, $header) use (&$cookie, &$location) {
                if (stripos($header, 'Set-Cookie:') === 0) {
                    if (preg_match('/^Set-Cookie: \s*([^;]*)/i', $header, $matches)) {
                        $cookie .= $matches[1] . '; ';
                    }
                }

                if (stripos($header, 'Location:') === 0) {
                    $location = trim(str_ireplace('location: ', '', trim($header)));
                }

                return strlen($header);
            },

            CURLOPT_HTTPHEADER => [
                'accept-language: pt-BR,pt;q=0.8,en-US;q=0.6,en;q=0.4',
                'content-type: application/x-www-form-urlencoded',
                'origin: https://twitter.com',
                'referer: https://twitter.com/login',
            ],
        ]
    );

    $response = curl_exec($request);
    curl_close($request);


    echo '<br>';
    echo $location = trim(explode('?', $location)[0], '/');

    switch ($location) {
        case 'https://twitter.com':
            echo 'Tudo certo';
            break;
        case 'https://twitter.com/account/access':
            echo 'Conta bloqueada';
            break;
        case 'https://twitter.com/account/login_verification':
            echo 'Conta exige 2FA';
            break;
        default:
            echo 'Senha inválida';
            break;
    }
}
  • Inkeliz, I used CURLOPT_HEADERFUNCTION in the first request, to pick up cookies I have no idea, I would have an example?

  • Using curlinfo_header_size and the DOMDocument I saw these links but could not.

  • @Inkeliz can do this way but twitter requires the use of CURLOPT_COOKIE This way you cannot format cookies in the correct httpheaderfunction ?

  • The CURLOPT_HEADERFUNCTION allows you to get any header information. Cookies are just any header. The CURLOPT_COOKIE expects any value in the format Nome=Valor;. So anything, including the HEADERFUNCTION is able to result in this format.

  • Ta, the @Owl, was the question I wanted to ask, but what other methods HEADERFUNCTION surporta? I want to do several checks one of them is if the account is blocked. @Inkeliz

  • @Madmen, read the documentation... The HEADERFUNCTION allows to obtain any header, any sent header. The Location is just one of them and that obviously you will get.

  • @Inkeliz, marked as solved, however, only correct or incorrect login and password work, blocked account and check do not work as usual?

  • I can not test all possibilities, just tested: invalid password, correct password and the use of 2FA. The blocked account link was what you yourself reported on another issue. I edited the post and added exactly the function I used for tests.

  • 2FA would be what? I kind of trying to use account/access to show the message but it’s hard @Inkeliz, would be able to help me in this?

  • It doesn’t work, the rest of the links just the case: 'https://twitter.com' and the default, the rest doesn’t work. if I give a var_dump in $header msm with the incorrect data returns me twitter.com and nothing else in Location:

  • @William, it is because the redirect flow is not as you are asked and I have no accounts to test. As I recall, it redirects to the twitter.com and from there he goes to the other (the /access). Maybe you can enable "FOLLOW_LOCATION" and get the active url (CURLINFO_EFFFECTIVE_URL). Then you would pay the last page. ;)

  • @Inkeliz I have several accounts to test already activated the follow Location and nothing

Show 7 more comments

Browser other questions tagged

You are not signed in. Login or sign up in order to post.