Re: [ReturnRaw] and hiding FORM data

This WebDNA talk-list message is from

2003


It keeps the original formatting.
numero = 46904
interpreted = N
texte = Clayton,WebDNA code like [WebDNA] are parsed correclty for variables or for return items in a [founditems]It is not the [WebDNA] code im worried about, but the form or database field names. The data returned from Parsing is only for 1 record. By hiding the Form data in a [ReturnRaw] you get nothing shown in the origial page source or the result page or URL for the search.Take a look at my example form here:
this is the same as a url link: /Results.tpl$search?db=test.db&var1=1&var2=2&var3=3 sample [WebDNA]: [var1] = Hello [var2] = World [var3] = PrivateIf I was using [WebDNA] with the sample FORM code would look like:
would look like this in the HTML source
this is the same as a url link: /Results.tpl$search?db=test.db&var1=Hello&var2=World&var3=Privatefrom here people can see that you are using a database 'test.db' and there a fields you can do a search on called 'var1', 'var2', 'var3'so any one who knows WebDNA can generate a url to do this: /Results.tpl$search?db=test.db&gevar3=0&var3sort=1&var3sdir=asYou can get this information from the Form Data in ANY html page! Just goto a web page that has a form then from the menu select view source - form data is shownNow these are just examples of what can be done. I do not want critism on the example FORMI just want to use [ReturnRaw] to pass FORM Data just like a normal form would... but all the DATA is invisible as the [ReturnRaw] is a WebDNA parsed result, not some sort of link like a FORM on a page you can view the souce of.-- Regards, Marko ------------------------------------------------------------------ Marko Bernyk - Senior System Engineer mailto:marko@conexus.com.au  http://www.conexus.com.au Technical Services, Conexus Pty Ltd, Sydney, Australia Ph 02 9975 2799 Fax 02 9975 2799          :) ------------------------------------------------------------------On Thursday, 16 January 2003 3:31 PM, Clayton Randall wrote: >If the code is webcat code, and the webdna processor properly parses >the file, there is no source shown to the browser, it is just a plain >webpage. >On Wednesday, January 15, 2003, at 11:28 PM, Marko Bernyk >wrote: > >> Thanks Tim... >> >> But it still does not satify my request in part 2) >> >>>> By using a [ReturnRaw] command you can hide all search cammands in a >>>> page >>>> that: >>>> 1) never shows the cammands in a URL, >>>> 2) is never part of the referer page source >>>> and best of all >>>> 3) nobody can ever see the search code as the page that contains the >>>> code is a >>>> [ReturnRaw] page and will always be processed as a web page and >>>> never have any >>>> source. >> >> The FORM data is still part of the referer page ie: the page you click >> on to do the search. >> >> By using [ReturnRaw] I would not have ANY data showing on any pages >> source or URL! >> This increases security of data hackers using your search code to get >> Information out of databases they should not have access to. >> eg: Normal users vs members, or Differnet levels of Admin rights to a >> database. >> This also would mean that certin databases don't not have to be >> duplicated if 90% of the data is the same. >> >> -- >> Regards, >> Marko >> ------------------------------------------------------------------ >> Marko Bernyk - Senior System Engineer >> mailto:marko@conexus.com.au  http://www.conexus.com.au >> Technical Services, Conexus Pty Ltd, Sydney, Australia >> Ph 02 9975 2799 Fax 02 9975 2799          :) >> ------------------------------------------------------------------ >> >> On Thursday, 16 January 2003 12:31 PM, Tim Robinson >> wrote: >>> Just have the [search] context and db value on the results.tpl >>> page. >>> >>>
>>> >>> >>> >>> >>>
>>> >>> On page results.tpl: >>> >>> [search db=test.db&etc] >>> [founditems] >>> stuff >>> [/founditems] >>> [/search] >>> >>> The form post will not have any other values in the URL. >>> >>> Regards, >>> Tim >>> -- >>> Tim Robinson >>> IDFK Web Developments >>> tim@idfk.com.au >>> 114a/40 Yeo Street >>> Neutral Bay 2089 >>> Australia >>> Phone +612 9908 2134 >>> Fax +612 9908 4837 >>> >>>> From: Marko Bernyk >>>> Reply-To: (WebCatalog Talk) >>>> Date: 16 Jan 2003 12:20:35 +1100 >>>> To: (WebCatalog Talk) >>>> Subject: [ReturnRaw] and hiding FORM data >>>> >>>> What I want to do is perform a [ReturnRaw] command that will perform >>>> exactly >>>> as pressing a Submit button on a form. Including the new page url not >>>> containing the search data! >>>> >>>> eg: here is a example form >>>>
>>>> >>>> >>>> >>>> >>>> >>>>
>>>> >>>> Now you can also use the full url to get the same search result as >>>> the FORM: >>>> http://192.168.1.1/Results.tpl$search?db=test.db&vat1=1&var2=2&var3=3 >>>> >>>> but the FORM has the added advantage of hiding the data in the >>>> search request. >>>> The FORM opens up a result page and it just displays >>>> http://192.168.1.1/Results.tpl$search as the url. >>>> >>>> So now you know the result I want, here is the reason: >>>> But putting the Search query in a FORM you can hide the result page >>>> search >>>> Data - but the data is still in the HTML code of the referrer page >>>> as FORM >>>> syntax - anyone can read this as source. >>>> >>>> By using a [ReturnRaw] command you can hide all search cammands in a >>>> page >>>> that: >>>> 1) never shows the cammands in a URL, >>>> 2) is never part of the referer page source >>>> and best of all >>>> 3) nobody can ever see the search code as the page that contains the >>>> code is a >>>> [ReturnRaw] page and will always be processed as a web page and >>>> never have any >>>> source. >>>> >>>> >>>> So my Test of [ReturnRaw] is this: >>>> (Note Mac users need to save file as DOS style text, as DOS carrage >>>> returns >>>> are needed for this work) >>>> >>>> [returnraw]HTTP/1.0 302 Found >>>> Location: /Results.tpl$search?db=catalog.db&var1=1&var2=2&var3=3 >>>> >>>> [/returnraw] >>>> >>>> From what I can gather [ReturnRaw] is a redirect result (using Code >>>> 302) >>>> forcing the browser to jump to the link in 'Location:' , It is not a >>>> request >>>> for a url! >>>> >>>> I determined this using Etherpeek and looking up w3.org file >>>> http://www.ietf.org/rfc/rfc2616.txt - Page 135 Section 14.30 >>>> My EtherPeek packet result for the FORM being processes is: >>>> Command: POST >>>> URI: /Results.tpl$search >>>> Version: HTTP/1.1 >>>> Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */* >>>> Referer: http://192.168.1.1/test.tpl >>>> Accept-Language: en-au >>>> Content-Type: application/x-www-form-urlencoded >>>> Accept-Encoding: gzip, deflate >>>> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) >>>> Host: brains.conexus.com.au >>>> Content-Length: 45 >>>> Connection: Keep-Alive >>>> Cache-Control: no-cache >>>> >>>> Line 1: db=test.db&var1=1&var2=2&var3=3&Submit=Submit >>>> >>>> --END-- >>>> >>>> >>>> How would you code a [ReturnRaw] for the FORM above to get a result >>>> page with >>>> NO search data in the URL? >>>> What Other commands can be used in the [ReturnRaw] >>>> >>>> >>>> -- >>>> Regards, >>>> Marko >>>> ------------------------------------------------------------------ >>>> Marko Bernyk - Senior System Engineer >>>> mailto:marko@conexus.com.au  http://www.conexus.com.au >>>> Technical Services, Conexus Pty Ltd, Sydney, Australia >>>> Ph 02 9975 2799 Fax 02 9975 2799          :) >>>> ------------------------------------------------------------------ >>>> >>>> >>>> >>>> ------------------------------------------------------------- >>>> This message is sent to you because you are subscribed to >>>> the mailing list . >>>> To unsubscribe, E-mail to: >>>> To switch to the DIGEST mode, E-mail to >>>> >>>> Web Archive of this list is at: http://webdna.smithmicro.com/ >>>> >>> >>> >>> >>> ------------------------------------------------------------- >>> This message is sent to you because you are subscribed to >>> the mailing list . >>> To unsubscribe, E-mail to: >>> To switch to the DIGEST mode, E-mail to >>> >>> Web Archive of this list is at: http://webdna.smithmicro.com/ >>> >> >> >> >> ------------------------------------------------------------- >> This message is sent to you because you are subscribed to >> the mailing list . >> To unsubscribe, E-mail to: >> To switch to the DIGEST mode, E-mail to >> >> Web Archive of this list is at: http://webdna.smithmicro.com/ >> > > >------------------------------------------------------------- >This message is sent to you because you are subscribed to > the mailing list . >To unsubscribe, E-mail to: >To switch to the DIGEST mode, E-mail to >Web Archive of this list is at: http://webdna.smithmicro.com/ >------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ Associated Messages, from the most recent to the oldest:

    
  1. Re: [ReturnRaw] and hiding FORM data (Kenneth Grome 2003)
  2. Re: [ReturnRaw] and hiding FORM data (Kenneth Grome 2003)
  3. Re: [ReturnRaw] and hiding FORM data (Kenneth Grome 2003)
  4. Re: [ReturnRaw] and hiding FORM data (Kenneth Grome 2003)
  5. Re: [ReturnRaw] and hiding FORM data (Kenneth Grome 2003)
  6. Re: [ReturnRaw] and hiding FORM data (Marko Bernyk 2003)
  7. Re: [ReturnRaw] and hiding FORM data (Tim Robinson 2003)
  8. Re: [ReturnRaw] and hiding FORM data (Marko Bernyk 2003)
  9. Re: [ReturnRaw] and hiding FORM data (Marko Bernyk 2003)
  10. Re: [ReturnRaw] and hiding FORM data (Clayton Randall 2003)
  11. Re: [ReturnRaw] and hiding FORM data (Marko Bernyk 2003)
  12. Re: [ReturnRaw] and hiding FORM data (Tim Robinson 2003)
  13. [ReturnRaw] and hiding FORM data (Marko Bernyk 2003)
Clayton,WebDNA code like [WebDNA] are parsed correclty for variables or for return items in a [founditems]It is not the [WebDNA] code im worried about, but the form or database field names. The data returned from Parsing is only for 1 record. By hiding the Form data in a [returnraw] you get nothing shown in the origial page source or the result page or URL for the search.Take a look at my example form here:
this is the same as a url link: /Results.tpl$search?db=test.db&var1=1&var2=2&var3=3 sample [WebDNA]: [var1] = Hello [var2] = World [var3] = PrivateIf I was using [WebDNA] with the sample FORM code would look like:
would look like this in the HTML source
this is the same as a url link: /Results.tpl$search?db=test.db&var1=Hello&var2=World&var3=Privatefrom here people can see that you are using a database 'test.db' and there a fields you can do a search on called 'var1', 'var2', 'var3'so any one who knows WebDNA can generate a url to do this: /Results.tpl$search?db=test.db&gevar3=0&var3sort=1&var3sdir=asYou can get this information from the Form Data in ANY html page! Just goto a web page that has a form then from the menu select view source - form data is shownNow these are just examples of what can be done. I do not want critism on the example FORMI just want to use [returnraw] to pass FORM Data just like a normal form would... but all the DATA is invisible as the [returnraw] is a WebDNA parsed result, not some sort of link like a FORM on a page you can view the souce of.-- Regards, Marko ------------------------------------------------------------------ Marko Bernyk - Senior System Engineer mailto:marko@conexus.com.au  http://www.conexus.com.au Technical Services, Conexus Pty Ltd, Sydney, Australia Ph 02 9975 2799 Fax 02 9975 2799          :) ------------------------------------------------------------------On Thursday, 16 January 2003 3:31 PM, Clayton Randall wrote: >If the code is webcat code, and the webdna processor properly parses >the file, there is no source shown to the browser, it is just a plain >webpage. >On Wednesday, January 15, 2003, at 11:28 PM, Marko Bernyk >wrote: > >> Thanks Tim... >> >> But it still does not satify my request in part 2) >> >>>> By using a [returnraw] command you can hide all search cammands in a >>>> page >>>> that: >>>> 1) never shows the cammands in a URL, >>>> 2) is never part of the referer page source >>>> and best of all >>>> 3) nobody can ever see the search code as the page that contains the >>>> code is a >>>> [returnraw] page and will always be processed as a web page and >>>> never have any >>>> source. >> >> The FORM data is still part of the referer page ie: the page you click >> on to do the search. >> >> By using [returnraw] I would not have ANY data showing on any pages >> source or URL! >> This increases security of data hackers using your search code to get >> Information out of databases they should not have access to. >> eg: Normal users vs members, or Differnet levels of Admin rights to a >> database. >> This also would mean that certin databases don't not have to be >> duplicated if 90% of the data is the same. >> >> -- >> Regards, >> Marko >> ------------------------------------------------------------------ >> Marko Bernyk - Senior System Engineer >> mailto:marko@conexus.com.au  http://www.conexus.com.au >> Technical Services, Conexus Pty Ltd, Sydney, Australia >> Ph 02 9975 2799 Fax 02 9975 2799          :) >> ------------------------------------------------------------------ >> >> On Thursday, 16 January 2003 12:31 PM, Tim Robinson >> wrote: >>> Just have the [search] context and db value on the results.tpl >>> page. >>> >>>
>>> >>> >>> >>> >>>
>>> >>> On page results.tpl: >>> >>> [search db=test.db&etc] >>> [founditems] >>> stuff >>> [/founditems] >>> [/search] >>> >>> The form post will not have any other values in the URL. >>> >>> Regards, >>> Tim >>> -- >>> Tim Robinson >>> IDFK Web Developments >>> tim@idfk.com.au >>> 114a/40 Yeo Street >>> Neutral Bay 2089 >>> Australia >>> Phone +612 9908 2134 >>> Fax +612 9908 4837 >>> >>>> From: Marko Bernyk >>>> Reply-To: (WebCatalog Talk) >>>> Date: 16 Jan 2003 12:20:35 +1100 >>>> To: (WebCatalog Talk) >>>> Subject: [returnraw] and hiding FORM data >>>> >>>> What I want to do is perform a [returnraw] command that will perform >>>> exactly >>>> as pressing a Submit button on a form. Including the new page url not >>>> containing the search data! >>>> >>>> eg: here is a example form >>>>
>>>> >>>> >>>> >>>> >>>> >>>>
>>>> >>>> Now you can also use the full url to get the same search result as >>>> the FORM: >>>> http://192.168.1.1/Results.tpl$search?db=test.db&vat1=1&var2=2&var3=3 >>>> >>>> but the FORM has the added advantage of hiding the data in the >>>> search request. >>>> The FORM opens up a result page and it just displays >>>> http://192.168.1.1/Results.tpl$search as the url. >>>> >>>> So now you know the result I want, here is the reason: >>>> But putting the Search query in a FORM you can hide the result page >>>> search >>>> Data - but the data is still in the HTML code of the referrer page >>>> as FORM >>>> syntax - anyone can read this as source. >>>> >>>> By using a [returnraw] command you can hide all search cammands in a >>>> page >>>> that: >>>> 1) never shows the cammands in a URL, >>>> 2) is never part of the referer page source >>>> and best of all >>>> 3) nobody can ever see the search code as the page that contains the >>>> code is a >>>> [returnraw] page and will always be processed as a web page and >>>> never have any >>>> source. >>>> >>>> >>>> So my Test of [returnraw] is this: >>>> (Note Mac users need to save file as DOS style text, as DOS carrage >>>> returns >>>> are needed for this work) >>>> >>>> [returnraw]HTTP/1.0 302 Found >>>> Location: /Results.tpl$search?db=catalog.db&var1=1&var2=2&var3=3 >>>> >>>> [/returnraw] >>>> >>>> From what I can gather [returnraw] is a redirect result (using Code >>>> 302) >>>> forcing the browser to jump to the link in 'Location:' , It is not a >>>> request >>>> for a url! >>>> >>>> I determined this using Etherpeek and looking up w3.org file >>>> http://www.ietf.org/rfc/rfc2616.txt - Page 135 Section 14.30 >>>> My EtherPeek packet result for the FORM being processes is: >>>> Command: POST >>>> URI: /Results.tpl$search >>>> Version: HTTP/1.1 >>>> Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */* >>>> Referer: http://192.168.1.1/test.tpl >>>> Accept-Language: en-au >>>> Content-Type: application/x-www-form-urlencoded >>>> Accept-Encoding: gzip, deflate >>>> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) >>>> Host: brains.conexus.com.au >>>> Content-Length: 45 >>>> Connection: Keep-Alive >>>> Cache-Control: no-cache >>>> >>>> Line 1: db=test.db&var1=1&var2=2&var3=3&Submit=Submit >>>> >>>> --END-- >>>> >>>> >>>> How would you code a [returnraw] for the FORM above to get a result >>>> page with >>>> NO search data in the URL? >>>> What Other commands can be used in the [returnraw] >>>> >>>> >>>> -- >>>> Regards, >>>> Marko >>>> ------------------------------------------------------------------ >>>> Marko Bernyk - Senior System Engineer >>>> mailto:marko@conexus.com.au  http://www.conexus.com.au >>>> Technical Services, Conexus Pty Ltd, Sydney, Australia >>>> Ph 02 9975 2799 Fax 02 9975 2799          :) >>>> ------------------------------------------------------------------ >>>> >>>> >>>> >>>> ------------------------------------------------------------- >>>> This message is sent to you because you are subscribed to >>>> the mailing list . >>>> To unsubscribe, E-mail to: >>>> To switch to the DIGEST mode, E-mail to >>>> >>>> Web Archive of this list is at: http://webdna.smithmicro.com/ >>>> >>> >>> >>> >>> ------------------------------------------------------------- >>> This message is sent to you because you are subscribed to >>> the mailing list . >>> To unsubscribe, E-mail to: >>> To switch to the DIGEST mode, E-mail to >>> >>> Web Archive of this list is at: http://webdna.smithmicro.com/ >>> >> >> >> >> ------------------------------------------------------------- >> This message is sent to you because you are subscribed to >> the mailing list . >> To unsubscribe, E-mail to: >> To switch to the DIGEST mode, E-mail to >> >> Web Archive of this list is at: http://webdna.smithmicro.com/ >> > > >------------------------------------------------------------- >This message is sent to you because you are subscribed to > the mailing list . >To unsubscribe, E-mail to: >To switch to the DIGEST mode, E-mail to >Web Archive of this list is at: http://webdna.smithmicro.com/ >------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ Marko Bernyk

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

What is WebDNA (1997) Re1000001: Setting up shop (1997) How do you TEAM Code? (2004) hierarchy question... (2000) FWD: Autoproxy Bug with WebCatalog and FireSite (1997) How to archive....? (1998) Comparing two fields so the match (1998) Slightly OT: [sendmail] help (2003) Can you do this??? and other stuff (1997) Practice runs ? (1997) carriage returns in data (1997) RE: Languages (1997) Forbidden CGI Error (1997) Requiring that certain fields be completed (1997) HTTP Header / Meta Equiv (1999) [ShowNext] feature in 2.0 (1997) WC2.0 Memory Requirements (1997) Memory requirements? (2000) WebCat & WebTen (1997) Re:Formulas.db / Quantity Discount problem (1998)