$_POST['input'] into PHP define string

Question

I am attempting to insert the $_POST inputs from a form into a php page. Is there any reason that this shouldn't work? I'm not getting any errors, but I am also not getting the intended result

HTML

<form action="cross-domain-page.php" method="post">
<input type="text" name="phone" value="555555555">
<input type="text" name="fname" value="john">
<input type="text" name="lname" value="doe">
<input type="text" name="email" value="[email protected]">
<input type="text" name="attr" value="<xml>xml-value</xml>">
<input type="submit" name="submit" value="submit">
</form>

---

PHP

<?php
/*
$phone = $_POST['phone'];
$fname = $_POST['fname'];
$lname = $_POST['lname'];
$email = $_POST['email'];
$attr = $_POST['attr'];
*/
/**
 * Define POST URL and also payload
 */
define('XML_PAYLOAD', '<subscriptions><opt_in>invite</opt_in><user><mobile-phone>' . $_POST['phone'] . '</mobile-phone><first-name>' . $_POST['fname'] . '</first-name><last-name>' . $_POST['lname'] . '</last-name><email>' . $_POST['email'] . '</email>' . $_POST['attr'] . '</user></subscriptions>');
define('XML_POST_URL', $_POST['URL']);

/**
 * Initialize handle and set options
 */
$username = 'username';
$password = 'password';
$ch = curl_init();
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type: application/xml'));
curl_setopt($ch, CURLOPT_URL, XML_POST_URL);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC ) ; 
curl_setopt($ch, CURLOPT_USERPWD, $username . ":" . $password);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, 4);
curl_setopt($ch, CURLOPT_POSTFIELDS, XML_PAYLOAD);
curl_setopt($ch, CURLOPT_VERBOSE, true);


/**
 * Execute the request and also time the transaction
 */
$start = array_sum(explode(' ', microtime()));
$result = curl_exec($ch);
$stop = array_sum(explode(' ', microtime()));
$totalTime = $stop - $start;

/**
 * Check for errors
 */
if ( curl_errno($ch) ) {
    $result = 'cURL ERROR -> ' . curl_errno($ch) . ': ' . curl_error($ch);
} else {
    $returnCode = (int)curl_getinfo($ch, CURLINFO_HTTP_CODE);
    switch($returnCode){
        case 200:
            break;
        default:
            $result = 'HTTP ERROR -> ' . $returnCode;
            break;
    }
}

/**
 * Close the handle
 */
curl_close($ch);

/**
 * Output the results and time
 */
echo 'Total time for request: ' . $totalTime . "\n";
echo $result;  

/**
 * Exit the script
 */
exit(0);
?>

Answer 1

1. What is the intended result? Assuming that the constant XML_PAYLOAD should contain the XML with the inserted values...
2. What is the symptom?
3. It may also help to post the html code of the form you are using to send the post data.
4. Besides: all input should be XML encoded when embedded into an XML document. Think of XSS attacks that exploit potential vulnerabilities of the component reading the XML document - or input being sent that is simply not valid XML.

Answer 2

Use this instead

 define('XML_POST_URL', $_POST['URL']);

Sidenote: it's very bad practice to be defining user input as constants..