PHP 3.0.13 and up, php://output and php://input since PHP 4.3.0, php://filter since PHP 5.0.0
php://stdin, php://stdout and php://stderr allow access to the corresponding input or output stream of the PHP process.
php://input allows you to read raw POST data. It is a less memory intensive alternative to $HTTP_RAW_POST_DATA and does not need any special php.ini directives.
php://stdin and php://input are read-only, whereas php://stdout, php://stderr and php://output are write-only.
php://filter is a kind of meta-wrapper designed to permit the application of filters to a stream at the time of opening. This is useful with all-in-one file functions such as readfile(), file(), and file_get_contents() where there is otherwise no opportunity to apply a filter to the stream prior the contents being read.
The php://filter target takes the following 'parameters' as parts of its 'path'.
/resource=<stream to be filtered> (required) This parameter must be located at the end of your php://filter specification and should point to the stream which you want filtered.
/read=<filter list to apply to read chain> (optional) This parameter takes one or more filternames separated by the pipe character |.
<?php /* This will output the contents of www.example.com entirely in uppercase */ readfile("php://filter/read=string.toupper/resource=http://www.example.com"); /* This will do the same as above but will also ROT13 encode it */ readfile("php://filter/read=string.toupper|string.rot13/resource=http://www.example.com"); ?>
/write=<filter list to apply to write chain> (optional) This parameter takes one or more filternames separated by the pipe character |.
/<filter list to apply to both chains> (optional) Any filter lists which are not prefixed specifically by read= or write= will be applied to both the read and write chains (as appropriate).
Table I-5. Wrapper Summary (For php://filter, refer to summary of wrapper being filtered.)
|Restricted by allow_url_fopen.||No|
|Allows Reading||php://stdin and php://input only.|
|Allows Writing||php://stdout, php://stderr, and php://output only.|
|Allows Appending||php://stdout, php://stderr, and php://output only. (Equivalent to writing)|
|Allows Simultaneous Reading and Writing||No. These wrappers are unidirectional.|