[Javascript] Prepacking the HTTP_POST array from JavaScript

David Lovering dlovering at gazos.com
Tue Aug 26 11:30:46 CDT 2003 

I agree, but the risk seems minimal if the added fields are generated AFTER
the submit, are one-time-use only, and get changed on every subsequent
transaction.  Also, I'm not one of these joes who believes every form should
have six million hidden fields just to store the machine state if the state
can be derived from other DOM objects elsewhere in the environment.

My impression was that a POST session limited the HTMLForm.action assignment
to just the name of the called form-handler.  Obviously, in a GET you can
hang stuff off of the URL portion of the ACTION declaration, but I'm
reluctant to try that in this instance without some assurance that it won't
put the forms-handler into La-La land.

-- Dave Lovering

----- Original Message ----- 
From: "Chris Tifer" <christ at saeweb.com>
To: "[JavaScript List]" <javascript at LaTech.edu>
Sent: Tuesday, August 26, 2003 9:20 AM
Subject: Re: [Javascript] Prepacking the HTTP_POST array from JavaScript


> One thing might be to change the .action property of the form, but:
>
> > Also, I don't want the user on the client machine to be able to
> > query those variables, as some of them may give them an edge in
> penetrating
> > aspects of the code I'd just as soon keep secure.
>
> Client-side and secure do not mix. I don't know what "security-related
> thingies"
> can possibly be done client-side that an advanced user can't figure out.
>
> Chris Tifer
> http://emailajoke.com
>
>
> ----- Original Message ----- 
> From: "David Lovering" <dlovering at gazos.com>
> To: "[JavaScript List]" <javascript at LaTech.edu>
> Sent: Tuesday, August 26, 2003 12:11 PM
> Subject: [Javascript] Prepacking the HTTP_POST array from JavaScript
>
>
> > Anybody have any insanely cute ways of pre-packing some additional
> variables
> > onto a HTTP_POST session (in addition to the form fields) prior to
> invoking
> > the appropriate htmlForm.submit() call?  I'd like to be able to augment
> the
> > formlist fields with some computed fields (mostly involving
> security-related
> > thingies), and I sure don't want to stick in any more hidden fields if I
> can
> > help it.  Also, I don't want the user on the client machine to be able
to
> > query those variables, as some of them may give them an edge in
> penetrating
> > aspects of the code I'd just as soon keep secure.
> >
> > For example, if I have a form
> >
> > <form name='myForm' id='myForm' enctype='multipart/form-data'
> method='post'
> > onsubmit='myCode.js' action='dosomething.php'>
> >   <table cellspacing=0 cellpadding=3 align='center' valign='top'
border=0>
> >     <tr>
> >       <td align='right' valign='middle'>my input</td>
> >       <td align='left' valign='middle'><input type='text' size=30
> > name='my_input' value=''></td>
> >     </tr>
> >     <tr>
> >       <td></td>
> >       <td align='left' valign='middle'><input type='submit'
> > value='submit'></td>
> >     </tr>
> >   </table>
> > </form>
> >
> > what must I insert in the code routine 'myCode.js' to add another field,
> say
> > 'authcode=F7A623' to the HTTP_POST_VARS array which is seen by
> > dosomething.php?
> >
> > With HTTP_GET variables it is simply a matter of packing the URL with
the
> > variable-names, their values, and the appropriate separators.
Obviously,
> > with a POST this method doesn't strictly apply.
> >
> > [Don't get hung up on the PHP code issue -- the forms handler could be
> > almost anything].
> >
> > -- Dave Lovering
> >
> >
> > _______________________________________________
> > Javascript mailing list
> > Javascript at LaTech.edu
> > https://lists.LaTech.edu/mailman/listinfo/javascript
> >
>
> _______________________________________________
> Javascript mailing list
> Javascript at LaTech.edu
> https://lists.LaTech.edu/mailman/listinfo/javascript
>
>

More information about the Javascript mailing list