Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.
  • Use of javascript (Score:3, Insightful)

    by 2shortplanks (968) on 2002.09.05 10:15 (#12530) Homepage Journal
    I've just being working on something similar. You know that you can assign a keyword to bookmarks in Google? And that if you put a '%s' in the url you can type 'keyword $string' into the url bar and have the url called with %s changed to a urlencoded version of $string.

    This works all very well until something needs a POST not a GET. So I have this script that takes any request and resubmits it to the defined url as a post:

    #!/usr/bin/perl

    # force as a hardcoded value for security reasons
    use constant URL => "http://theurlhere.com/cgi-bin/script.jsp";

    use CGI;
    my $q = CGI->new();

    # start the page
    print $q->header;
    print $q->start_html(-onLoad => "document.myform.submit()");
    print "Please wait...";

    # start the form
    print $q->start_form(-name   => "myform",
                         -action => URL);

    # print out all values
    foreach ($q->param())
    {
      print $q->hidden(-name  => $_,
                       -value => $q->param($_)) . "\n";
    }

    print $q->end_form;
    print $q->end_html;
    Now the important thing to note is that this script doesn't even have a submit button - as soon as the page is loaded javascript submits the page.

    Of course this will only work if you know they have javascript enabled (which in this case I do - it's my browser)

  • What's to stop somebody from editing the HTML page with the hidden variables before it gets submitted to the second CGI script? You'd need to do some kind of md5/sha1 checksum of the submitted data and validate it, surely?

    -Dom

    • Hmmm.... good point. This obviously isn't going to be quite as simple as I expected.

      • You only need security there if they can do anything bad with what they submit, ie generally if they can somehow change the price. Normally, they shouldn't be able to, you'd only send the ID of a product and how many of it they're taking and let the remote end do the math using prices in its store. Of course, it wouldn't be the first time I see an online sales system with that kind of hole...

        --

        -- Robin Berjon [berjon.com]

  • I haven't done much in the way of cookies, but conceptually they are sort of like a key=valkey=valkey=val hash, right? So, you get a cookie from the CC site on behalf of the user, and quote/escape/whatever to it, and set it as the value of one of those keys in a cookie you send to the user. Then, decode it when you get it back.

    Maybe. :)

    --
    J. David works really hard, has a passion for writing good software, and knows many of the world's best Perl programmers