Simple HTML POST without any server scripting, can be done using JS - javascript

I want to pass some textbox value strictly using POST from one html page to another...
how can this be done without using any server side language like asp.net or php
can it be done using javascript??
thnx

You can't read POST data in any way on javascript so this is not doable.
Here you can find similar questions:
http://forums.devshed.com/javascript-development-115/read-post-data-in-javascript-1172.html
http://www.sitepoint.com/forums/showthread.php?454963-Getting-GET-or-POST-variables-using-JavaScript
This reading can also be interesting: http://en.wikipedia.org/wiki/POST_%28HTTP%29
This expecially suggests why this answer (wikipedia is the source):
GET
Requests a representation of the specified resource. Requests using GET should only retrieve data and should have no other effect.
(This is also true of some other HTTP methods.)[1] The W3C has
published guidance principles on this distinction, saying, "Web
application design should be informed by the above principles, but
also by the relevant limitations."[10] See safe methods below.
POST
Submits data to be processed (e.g., from an HTML form) to the identified resource. The data is included in the body of the request.
This may result in the creation of a new resource or the updates of
existing resources or both.
POST data is added to the request. When you do a GET request the data is added to the url, and that's why you can access it through javascript (and that's why it's not parsed and you have to do it manually). Instead, POST send data directly into the http requests, which is not seen in any way by the html page (which is just a part of what is sent through the http request).
That said, only server side language will receive the full HTTP request, and definitely you can' access it by javascript.
I'm sorry but that is the real answer

Related

ContactForm 7 and javascript to capture form data

I have a WordPress site and i use a cf7 form to make a booking enquiry. When the form is submitted an email is send to my info#.. and also a custom php file i made is passing data from the form to a CRM platform.
I use JS on_mail_sent action and i capture all the values of the form and im passing it to the php file via query (.php?id=id&......).
I want to ask if this method is acceptable or i must use another method. For example is there any way certain browsers for some reasons dont support javascript?
Thank you.
The better solution to use POST method to submit form.
About difference between Get and Post:
GET requests a representation of the specified resource. Note that GET should not be used for operations that cause side-effects, such as using it for taking actions in web applications. One reason for this is that GET may be used arbitrarily by robots or crawlers, which should not need to consider the side effects that a request should cause.
POST submits data to be processed (e.g., from an HTML form) to the identified resource. The data is included in the body of the request. This may result in the creation of a new resource or the updates of existing resources or both.
HTTP/1.1 specification (RFC 2616) section 9 Method Definitions contains more information on GET and POST as well as the other HTTP methods.
One more important moment:
Authors of services which use the HTTP protocol SHOULD NOT use GET based forms for the submission of sensitive data, because this will cause this data to be encoded in the Request-URI. Many existing servers, proxies, and user agents will log the request URI in some place where it might be visible to third parties. Servers can use POST-based form submission instead.
All popular browsers supports Javascript.
Regards.

Security issue with WebService [Get] Requests?

After reading the famous (and only) article about trying to explain why asmxs should NOTallow Get requests
so we shouldn't use : [ScriptMethod(UseHttpGet = true)] , I still I have a question :
Why ?
Web service , as its name is a service , he doesn't suppose to care if it's GET or POST :
Even if a person do a CSRF : like embedding in his malicious site :
<script type="text/javascript" src="http://contoso.com/StockService/Stock.asmx/GetQuotes?symbol=msft" />
so what ?
Via asmx POV - it is just a normal request.
Can someone please spot for me the problem with example ?
edit
there are many problems solved with new browsers.
this link shows some other methods which should be tested in new browsers.
JSON hijacking is briefly explained in this article.
Let's suppose that you have a web service that returns a list of credit card numbers to the currently authenticated user:
[{"id":"1001","ccnum":"4111111111111111","balance":"2345.15"},
{"id":"1002","ccnum":"5555555555554444","balance":"10345.00"},
{"id":"1003","ccnum":"5105105105105100","balance":"6250.50"}]
Here's how the attack could be performed:
Get an authenticated user to visit a malicious page.
The malicious page will try and access sensitive data from the application that the user is logged into. This can be done by embedding a script tag in an HTML page since the same-origin policy does not apply to script tags. <script src="http://<json site>/json_server.php"></script>. The browser will make a GET request to json_server.php and any authentication cookies of the user will be sent along with the request.
At this point while the malicious site has executed the script it does not have access to any sensitive data. Getting access to the data can be achieved by using an object prototype setter. In the code below an object prototypes property is being bound to the defined function when an attempt is being made to set the "ccnum" property.
Object.prototype.__defineSetter__('ccnum',function(obj) {
secrets = secrets.concat(" ", obj);
});
At this point the malicious site has successfully hijacked the sensitive financial data (ccnum) returned by json_server.php.
There are also other forms of JSON hijacking techniques which do not rely on the browser support for the __defineSetter__ function. That's just one way to conduct the attack but there are many others as described in this article such as Array constructor clobbering, UTF-7, ES5 functionality.
For this reason, GET requests returning JSON are disabled by default in ASP.NET.
Well if you follow the article that is then linked in the one you provided which can be found here: http://ajax.asp.net/docs/overview/AsynchronousLayerOverview.aspx, you can then read on and the only reason it specifically specifies is this:
GET requests are not recommended for method calls that modify data on
the server or that expose critical information. In GET requests, the
message is encoded by the browser into the URL and is therefore an
easier target for tampering. For both GET and POST requests, you
should follow security guidelines to protect sensitive data.

Ajax process from point of initiating a request to user seeing result?

I'm looking for a straight forward list(with any notable information to match the point) of the separate processes involved from initiating the request object to the user seeing the end result in AJAX?
Thanks.
Okay, I'll give it a shot.
Initiate a request to the server from JavaScript. At some level this is XmlHttpRequest but you are better off using a library such as jQuery to help.
Get a response back from the server. Usually the response is JSON or HTML. Using XML is not recommended because parsing XML in JavaScript is not fun.
Update the HTML DOM to show the results from the server. This is very application-specific. But again using jQuery or some other library makes this easier.

javascript call url from different domain

I want to post some data via javascript to another domain. Something like:
http://www.othersite.com/submitfunnyname?name=blah
The other site (othersite.com) has a REST interface that you can call (well actually this is a get example) to submit a funny name to them.
Can I do this already with javascript? I'm a little confused on this - I know if that service wants to return some data, I'd need to use something like JSON-P - even though here I'm submitting some data, I guess the service will return some message structure letting me know the result, so it would have to be JSON-P, right?
Thanks
Not a particular expert in JavaScript, but isn't this an example of "cross-site scripting", which is not allowed due to possible security threats?
I believe you need to have all HTTP calls being made to the same server domain as the page. You could have a handler on your own site pass the information on to the othersite.com.
You can either use JSON-P if the site supports it, or you can use your web server as a proxy - by making requests to your server, which will in turn use a library such as cURL to make the actual request to the remote site.

Can Django/Javascript handle conditional "Ajax" responses to HTTP POST requests?

How do I design a Django/Javascript application to provide for conditional Ajax responses to conventional HTTP requests?
On the server, I have a custom-built Form object. When the browser POSTS the form's data, the server checks the submitted data against existing data and rules (eg, if the form adds some entity to a database, does that entity already exist in the database?). If the data passes, the server saves, generates an ID number and adds it to the form's data, and passes the form and data back to the browser.
if request.method == 'POST':
formClass = form_code.getCustomForm()
thisForm = formClass(data=request.POST)
if thisForm.isvalid():
saveCheck = thisForm.saveData()
t = loader.get_template("CustomerForm.html")
c = Context({ 'expectedFormObj': thisForm })
(Note that my custom logic checking is in saveData() and is separate from the html validation done by isvalid().)
So far, standard Django (I hope). But if the data doesn't pass, I want to send a message to the browser. I suppose saveData() could put the message in an attribute of the form, and the template could check for that attribute, embed its data as javascript variable and include a javascript function to display the message. But passing all that form html back, just to add one message, seems inelegant (as does the standard Django form submission process, but never mind). In that case I'd like to just pass back the message.
Now I suppose I could tie a Javascript function to the html form's onsubmit event, and have that issue an XMLHttpRequest, and have the server respond to that based on the output of the saveData() call. But then the browser has two requests to the server outstanding (POST and XHR). Maybe a successful saveData() would rewrite the whole page and erase any potential for conflict. But I'd also have to get the server to sequence its response to the XHR to follow the response to the POST, and figure out how to communicate the saveData outcome to the response to the XHR. I suppose that is doable, even without the thread programming I don't know, but it seems messy.
I speculate that I might use javascript to make the browser's response conditional to something in the response to the POST request (either rewrite the whole page, or just display a message). But I suspect that the page's javascript hands control over the browser with the POST request, and that any response to the POST would just rewrite the page.
So can I design a process to pass back the whole form only if the server-side saveData() works, and a message that is displayed without rewriting the entire form if saveData() doesn't? If so, how?
Although you can arrange for your views to examine the request data to decide if the response should be an AJAXish or plain HTML, I don't really recommend it. Put AJAX request handlers in a separate URL structure, for instance all your regular html views have urls like /foo/bar and a corresponding api call for the same info would be /ajax/foo/bar.
Since most views will examine the request data, then do some processing, then create a python dictionary and pass that to the template engine, you can factor out the common parts to make this a little easier. the first few steps could be a generic sort of function that just returns the python dictionary, and then actual responses are composed by wrapping the handler functions in a template renderer or json encoder.
My usual workflow is to initially assume that the client has no javascript, (which is still a valid assumption; many mobile browsers have no JS) and implement the app as static GET and POST handlers. From there I start looking for the places where my app can benefit from a little client side scripting. For instance I'll usually redesign the forms to submit via AJAX type calls without reloading a page. These will not send their requests to the same URL/django view as the plain html form version would, since the response needs to be a simple success message in plain text or html fragment.
Similarly, getting data from the server is also redesigned to respond with a concise JSoN document to be processed into the page on the client. This also would be a separate URL/django view as the corresponding plain html for that resource.
When dealing with AJAX, I use this:
from django.utils import simplejson
...
status = simplejson.dumps({'status': "success"})
return HttpResponse(status, mimetype="application/json")
Then, AJAX (jQuery) can do what it wants based on the return value of 'status'.
I'm not sure exactly what you want with regards to forms. If you want an easier, and better form experience, I suggest checking out uni-form. Pinax has a good implementation of this in their voting app.
FYI, this isn't an answer...but it might help you think about it a different way
Here's the problem I'm running into...Google App Engine + jQuery Ajax = 405 Method Not Allowed.
So basically I get the thing to work using the outlined code, then I can't make the AJAX request :(.

Categories