Re: [ReturnRaw] and hiding FORM data

This WebDNA talk-list message is from

2003


It keeps the original formatting.
numero = 46907
interpreted = N
texte = There is no way they can know where the DB is because it's coded into the next page in the [search] context.Can YOU get a search to work using Results.tpl$search?db=test.db&var1=1&var2=2&var3=3 when there's also a search context on the results.tpl page?Regards, Tim -- Tim Robinson IDFK Web Developments tim@idfk.com.au 114a/40 Yeo Street Neutral Bay 2089 Australia Phone +612 9908 2134 Fax +612 9908 4837> From: Marko Bernyk > Reply-To: (WebCatalog Talk) > Date: 16 Jan 2003 16:22:19 +1100 > To: (WebCatalog Talk) > Subject: Re: [ReturnRaw] and hiding FORM data > > Clayton, > > WebDNA code like [WebDNA] are parsed correclty for variables or for return > items in a [founditems] > > It is not the [WebDNA] code im worried about, but the form or database field > names. The data returned from Parsing is only for 1 record. > By hiding the Form data in a [ReturnRaw] you get nothing shown in the origial > page source or the result page or URL for the search. > > Take a look at my example form here: > >
> > > > >
> > this is the same as a url link: > /Results.tpl$search?db=test.db&var1=1&var2=2&var3=3 > > > sample [WebDNA]: [var1] = Hello [var2] = World [var3] = Private > > If I was using [WebDNA] with the sample FORM code would look like: >
> > > > >
> > would look like this in the HTML source >
> > > > >
> > this is the same as a url link: > /Results.tpl$search?db=test.db&var1=Hello&var2=World&var3=Private > > from here people can see that you are using a database 'test.db' and there a > fields you can do a search on called 'var1', 'var2', 'var3' > > so any one who knows WebDNA can generate a url to do this: > /Results.tpl$search?db=test.db&gevar3=0&var3sort=1&var3sdir=as > > You can get this information from the Form Data in ANY html page! > Just goto a web page that has a form then from the menu select view source - > form data is shown > > Now these are just examples of what can be done. I do not want critism on the > example FORM > > I just want to use [ReturnRaw] to pass FORM Data just like a normal form > would... but all the DATA is invisible as the [ReturnRaw] is a WebDNA parsed > result, not some sort of link like a FORM on a page you can view the souce of. > > -- > Regards, > Marko > ------------------------------------------------------------------ > Marko Bernyk - Senior System Engineer > mailto:marko@conexus.com.au  http://www.conexus.com.au > Technical Services, Conexus Pty Ltd, Sydney, Australia > Ph 02 9975 2799 Fax 02 9975 2799          :) > ------------------------------------------------------------------ > > On Thursday, 16 January 2003 3:31 PM, Clayton Randall > wrote: >> If the code is webcat code, and the webdna processor properly parses >> the file, there is no source shown to the browser, it is just a plain >> webpage. >> On Wednesday, January 15, 2003, at 11:28 PM, Marko Bernyk >> wrote: >> >>> Thanks Tim... >>> >>> But it still does not satify my request in part 2) >>> >>>>> By using a [ReturnRaw] command you can hide all search cammands in a >>>>> page >>>>> that: >>>>> 1) never shows the cammands in a URL, >>>>> 2) is never part of the referer page source >>>>> and best of all >>>>> 3) nobody can ever see the search code as the page that contains the >>>>> code is a >>>>> [ReturnRaw] page and will always be processed as a web page and >>>>> never have any >>>>> source. >>> >>> The FORM data is still part of the referer page ie: the page you click >>> on to do the search. >>> >>> By using [ReturnRaw] I would not have ANY data showing on any pages >>> source or URL! >>> This increases security of data hackers using your search code to get >>> Information out of databases they should not have access to. >>> eg: Normal users vs members, or Differnet levels of Admin rights to a >>> database. >>> This also would mean that certin databases don't not have to be >>> duplicated if 90% of the data is the same. >>> >>> -- >>> Regards, >>> Marko >>> ------------------------------------------------------------------ >>> Marko Bernyk - Senior System Engineer >>> mailto:marko@conexus.com.au  http://www.conexus.com.au >>> Technical Services, Conexus Pty Ltd, Sydney, Australia >>> Ph 02 9975 2799 Fax 02 9975 2799          :) >>> ------------------------------------------------------------------ >>> >>> On Thursday, 16 January 2003 12:31 PM, Tim Robinson >>> wrote: >>>> Just have the [search] context and db value on the results.tpl >>>> page. >>>> >>>>
>>>> >>>> >>>> >>>> >>>>
>>>> >>>> On page results.tpl: >>>> >>>> [search db=test.db&etc] >>>> [founditems] >>>> stuff >>>> [/founditems] >>>> [/search] >>>> >>>> The form post will not have any other values in the URL. >>>> >>>> Regards, >>>> Tim >>>> -- >>>> Tim Robinson >>>> IDFK Web Developments >>>> tim@idfk.com.au >>>> 114a/40 Yeo Street >>>> Neutral Bay 2089 >>>> Australia >>>> Phone +612 9908 2134 >>>> Fax +612 9908 4837 >>>> >>>>> From: Marko Bernyk >>>>> Reply-To: (WebCatalog Talk) >>>>> Date: 16 Jan 2003 12:20:35 +1100 >>>>> To: (WebCatalog Talk) >>>>> Subject: [ReturnRaw] and hiding FORM data >>>>> >>>>> What I want to do is perform a [ReturnRaw] command that will perform >>>>> exactly >>>>> as pressing a Submit button on a form. Including the new page url not >>>>> containing the search data! >>>>> >>>>> eg: here is a example form >>>>>
>>>>> >>>>> >>>>> >>>>> >>>>> >>>>>
>>>>> >>>>> Now you can also use the full url to get the same search result as >>>>> the FORM: >>>>> http://192.168.1.1/Results.tpl$search?db=test.db&vat1=1&var2=2&var3=3 >>>>> >>>>> but the FORM has the added advantage of hiding the data in the >>>>> search request. >>>>> The FORM opens up a result page and it just displays >>>>> http://192.168.1.1/Results.tpl$search as the url. >>>>> >>>>> So now you know the result I want, here is the reason: >>>>> But putting the Search query in a FORM you can hide the result page >>>>> search >>>>> Data - but the data is still in the HTML code of the referrer page >>>>> as FORM >>>>> syntax - anyone can read this as source. >>>>> >>>>> By using a [ReturnRaw] command you can hide all search cammands in a >>>>> page >>>>> that: >>>>> 1) never shows the cammands in a URL, >>>>> 2) is never part of the referer page source >>>>> and best of all >>>>> 3) nobody can ever see the search code as the page that contains the >>>>> code is a >>>>> [ReturnRaw] page and will always be processed as a web page and >>>>> never have any >>>>> source. >>>>> >>>>> >>>>> So my Test of [ReturnRaw] is this: >>>>> (Note Mac users need to save file as DOS style text, as DOS carrage >>>>> returns >>>>> are needed for this work) >>>>> >>>>> [returnraw]HTTP/1.0 302 Found >>>>> Location: /Results.tpl$search?db=catalog.db&var1=1&var2=2&var3=3 >>>>> >>>>> [/returnraw] >>>>> >>>>> From what I can gather [ReturnRaw] is a redirect result (using Code >>>>> 302) >>>>> forcing the browser to jump to the link in 'Location:' , It is not a >>>>> request >>>>> for a url! >>>>> >>>>> I determined this using Etherpeek and looking up w3.org file >>>>> http://www.ietf.org/rfc/rfc2616.txt - Page 135 Section 14.30 >>>>> My EtherPeek packet result for the FORM being processes is: >>>>> Command: POST >>>>> URI: /Results.tpl$search >>>>> Version: HTTP/1.1 >>>>> Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */* >>>>> Referer: http://192.168.1.1/test.tpl >>>>> Accept-Language: en-au >>>>> Content-Type: application/x-www-form-urlencoded >>>>> Accept-Encoding: gzip, deflate >>>>> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) >>>>> Host: brains.conexus.com.au >>>>> Content-Length: 45 >>>>> Connection: Keep-Alive >>>>> Cache-Control: no-cache >>>>> >>>>> Line 1: db=test.db&var1=1&var2=2&var3=3&Submit=Submit >>>>> >>>>> --END-- >>>>> >>>>> >>>>> How would you code a [ReturnRaw] for the FORM above to get a result >>>>> page with >>>>> NO search data in the URL? >>>>> What Other commands can be used in the [ReturnRaw] >>>>> >>>>> >>>>> -- >>>>> Regards, >>>>> Marko >>>>> ------------------------------------------------------------------ >>>>> Marko Bernyk - Senior System Engineer >>>>> mailto:marko@conexus.com.au  http://www.conexus.com.au >>>>> Technical Services, Conexus Pty Ltd, Sydney, Australia >>>>> Ph 02 9975 2799 Fax 02 9975 2799          :) >>>>> ------------------------------------------------------------------ >>>>> >>>>> >>>>> >>>>> ------------------------------------------------------------- >>>>> This message is sent to you because you are subscribed to >>>>> the mailing list . >>>>> To unsubscribe, E-mail to: >>>>> To switch to the DIGEST mode, E-mail to >>>>> >>>>> Web Archive of this list is at: http://webdna.smithmicro.com/ >>>>> >>>> >>>> >>>> >>>> ------------------------------------------------------------- >>>> This message is sent to you because you are subscribed to >>>> the mailing list . >>>> To unsubscribe, E-mail to: >>>> To switch to the DIGEST mode, E-mail to >>>> >>>> Web Archive of this list is at: http://webdna.smithmicro.com/ >>>> >>> >>> >>> >>> ------------------------------------------------------------- >>> This message is sent to you because you are subscribed to >>> the mailing list . >>> To unsubscribe, E-mail to: >>> To switch to the DIGEST mode, E-mail to >>> >>> Web Archive of this list is at: http://webdna.smithmicro.com/ >>> >> >> >> ------------------------------------------------------------- >> This message is sent to you because you are subscribed to >> the mailing list . >> To unsubscribe, E-mail to: >> To switch to the DIGEST mode, E-mail to >> >> Web Archive of this list is at: http://webdna.smithmicro.com/ >> > > > > ------------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > To switch to the DIGEST mode, E-mail to > > Web Archive of this list is at: http://webdna.smithmicro.com/ > ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ Associated Messages, from the most recent to the oldest:

    
  1. Re: [ReturnRaw] and hiding FORM data (Kenneth Grome 2003)
  2. Re: [ReturnRaw] and hiding FORM data (Kenneth Grome 2003)
  3. Re: [ReturnRaw] and hiding FORM data (Kenneth Grome 2003)
  4. Re: [ReturnRaw] and hiding FORM data (Kenneth Grome 2003)
  5. Re: [ReturnRaw] and hiding FORM data (Kenneth Grome 2003)
  6. Re: [ReturnRaw] and hiding FORM data (Marko Bernyk 2003)
  7. Re: [ReturnRaw] and hiding FORM data (Tim Robinson 2003)
  8. Re: [ReturnRaw] and hiding FORM data (Marko Bernyk 2003)
  9. Re: [ReturnRaw] and hiding FORM data (Marko Bernyk 2003)
  10. Re: [ReturnRaw] and hiding FORM data (Clayton Randall 2003)
  11. Re: [ReturnRaw] and hiding FORM data (Marko Bernyk 2003)
  12. Re: [ReturnRaw] and hiding FORM data (Tim Robinson 2003)
  13. [ReturnRaw] and hiding FORM data (Marko Bernyk 2003)
There is no way they can know where the DB is because it's coded into the next page in the [search] context.Can YOU get a search to work using Results.tpl$search?db=test.db&var1=1&var2=2&var3=3 when there's also a search context on the results.tpl page?Regards, Tim -- Tim Robinson IDFK Web Developments tim@idfk.com.au 114a/40 Yeo Street Neutral Bay 2089 Australia Phone +612 9908 2134 Fax +612 9908 4837> From: Marko Bernyk > Reply-To: (WebCatalog Talk) > Date: 16 Jan 2003 16:22:19 +1100 > To: (WebCatalog Talk) > Subject: Re: [returnraw] and hiding FORM data > > Clayton, > > WebDNA code like [WebDNA] are parsed correclty for variables or for return > items in a [founditems] > > It is not the [WebDNA] code im worried about, but the form or database field > names. The data returned from Parsing is only for 1 record. > By hiding the Form data in a [returnraw] you get nothing shown in the origial > page source or the result page or URL for the search. > > Take a look at my example form here: > >
> > > > >
> > this is the same as a url link: > /Results.tpl$search?db=test.db&var1=1&var2=2&var3=3 > > > sample [WebDNA]: [var1] = Hello [var2] = World [var3] = Private > > If I was using [WebDNA] with the sample FORM code would look like: >
> > > > >
> > would look like this in the HTML source >
> > > > >
> > this is the same as a url link: > /Results.tpl$search?db=test.db&var1=Hello&var2=World&var3=Private > > from here people can see that you are using a database 'test.db' and there a > fields you can do a search on called 'var1', 'var2', 'var3' > > so any one who knows WebDNA can generate a url to do this: > /Results.tpl$search?db=test.db&gevar3=0&var3sort=1&var3sdir=as > > You can get this information from the Form Data in ANY html page! > Just goto a web page that has a form then from the menu select view source - > form data is shown > > Now these are just examples of what can be done. I do not want critism on the > example FORM > > I just want to use [returnraw] to pass FORM Data just like a normal form > would... but all the DATA is invisible as the [returnraw] is a WebDNA parsed > result, not some sort of link like a FORM on a page you can view the souce of. > > -- > Regards, > Marko > ------------------------------------------------------------------ > Marko Bernyk - Senior System Engineer > mailto:marko@conexus.com.au  http://www.conexus.com.au > Technical Services, Conexus Pty Ltd, Sydney, Australia > Ph 02 9975 2799 Fax 02 9975 2799          :) > ------------------------------------------------------------------ > > On Thursday, 16 January 2003 3:31 PM, Clayton Randall > wrote: >> If the code is webcat code, and the webdna processor properly parses >> the file, there is no source shown to the browser, it is just a plain >> webpage. >> On Wednesday, January 15, 2003, at 11:28 PM, Marko Bernyk >> wrote: >> >>> Thanks Tim... >>> >>> But it still does not satify my request in part 2) >>> >>>>> By using a [returnraw] command you can hide all search cammands in a >>>>> page >>>>> that: >>>>> 1) never shows the cammands in a URL, >>>>> 2) is never part of the referer page source >>>>> and best of all >>>>> 3) nobody can ever see the search code as the page that contains the >>>>> code is a >>>>> [returnraw] page and will always be processed as a web page and >>>>> never have any >>>>> source. >>> >>> The FORM data is still part of the referer page ie: the page you click >>> on to do the search. >>> >>> By using [returnraw] I would not have ANY data showing on any pages >>> source or URL! >>> This increases security of data hackers using your search code to get >>> Information out of databases they should not have access to. >>> eg: Normal users vs members, or Differnet levels of Admin rights to a >>> database. >>> This also would mean that certin databases don't not have to be >>> duplicated if 90% of the data is the same. >>> >>> -- >>> Regards, >>> Marko >>> ------------------------------------------------------------------ >>> Marko Bernyk - Senior System Engineer >>> mailto:marko@conexus.com.au  http://www.conexus.com.au >>> Technical Services, Conexus Pty Ltd, Sydney, Australia >>> Ph 02 9975 2799 Fax 02 9975 2799          :) >>> ------------------------------------------------------------------ >>> >>> On Thursday, 16 January 2003 12:31 PM, Tim Robinson >>> wrote: >>>> Just have the [search] context and db value on the results.tpl >>>> page. >>>> >>>>
>>>> >>>> >>>> >>>> >>>>
>>>> >>>> On page results.tpl: >>>> >>>> [search db=test.db&etc] >>>> [founditems] >>>> stuff >>>> [/founditems] >>>> [/search] >>>> >>>> The form post will not have any other values in the URL. >>>> >>>> Regards, >>>> Tim >>>> -- >>>> Tim Robinson >>>> IDFK Web Developments >>>> tim@idfk.com.au >>>> 114a/40 Yeo Street >>>> Neutral Bay 2089 >>>> Australia >>>> Phone +612 9908 2134 >>>> Fax +612 9908 4837 >>>> >>>>> From: Marko Bernyk >>>>> Reply-To: (WebCatalog Talk) >>>>> Date: 16 Jan 2003 12:20:35 +1100 >>>>> To: (WebCatalog Talk) >>>>> Subject: [returnraw] and hiding FORM data >>>>> >>>>> What I want to do is perform a [returnraw] command that will perform >>>>> exactly >>>>> as pressing a Submit button on a form. Including the new page url not >>>>> containing the search data! >>>>> >>>>> eg: here is a example form >>>>>
>>>>> >>>>> >>>>> >>>>> >>>>> >>>>>
>>>>> >>>>> Now you can also use the full url to get the same search result as >>>>> the FORM: >>>>> http://192.168.1.1/Results.tpl$search?db=test.db&vat1=1&var2=2&var3=3 >>>>> >>>>> but the FORM has the added advantage of hiding the data in the >>>>> search request. >>>>> The FORM opens up a result page and it just displays >>>>> http://192.168.1.1/Results.tpl$search as the url. >>>>> >>>>> So now you know the result I want, here is the reason: >>>>> But putting the Search query in a FORM you can hide the result page >>>>> search >>>>> Data - but the data is still in the HTML code of the referrer page >>>>> as FORM >>>>> syntax - anyone can read this as source. >>>>> >>>>> By using a [returnraw] command you can hide all search cammands in a >>>>> page >>>>> that: >>>>> 1) never shows the cammands in a URL, >>>>> 2) is never part of the referer page source >>>>> and best of all >>>>> 3) nobody can ever see the search code as the page that contains the >>>>> code is a >>>>> [returnraw] page and will always be processed as a web page and >>>>> never have any >>>>> source. >>>>> >>>>> >>>>> So my Test of [returnraw] is this: >>>>> (Note Mac users need to save file as DOS style text, as DOS carrage >>>>> returns >>>>> are needed for this work) >>>>> >>>>> [returnraw]HTTP/1.0 302 Found >>>>> Location: /Results.tpl$search?db=catalog.db&var1=1&var2=2&var3=3 >>>>> >>>>> [/returnraw] >>>>> >>>>> From what I can gather [returnraw] is a redirect result (using Code >>>>> 302) >>>>> forcing the browser to jump to the link in 'Location:' , It is not a >>>>> request >>>>> for a url! >>>>> >>>>> I determined this using Etherpeek and looking up w3.org file >>>>> http://www.ietf.org/rfc/rfc2616.txt - Page 135 Section 14.30 >>>>> My EtherPeek packet result for the FORM being processes is: >>>>> Command: POST >>>>> URI: /Results.tpl$search >>>>> Version: HTTP/1.1 >>>>> Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */* >>>>> Referer: http://192.168.1.1/test.tpl >>>>> Accept-Language: en-au >>>>> Content-Type: application/x-www-form-urlencoded >>>>> Accept-Encoding: gzip, deflate >>>>> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) >>>>> Host: brains.conexus.com.au >>>>> Content-Length: 45 >>>>> Connection: Keep-Alive >>>>> Cache-Control: no-cache >>>>> >>>>> Line 1: db=test.db&var1=1&var2=2&var3=3&Submit=Submit >>>>> >>>>> --END-- >>>>> >>>>> >>>>> How would you code a [returnraw] for the FORM above to get a result >>>>> page with >>>>> NO search data in the URL? >>>>> What Other commands can be used in the [returnraw] >>>>> >>>>> >>>>> -- >>>>> Regards, >>>>> Marko >>>>> ------------------------------------------------------------------ >>>>> Marko Bernyk - Senior System Engineer >>>>> mailto:marko@conexus.com.au  http://www.conexus.com.au >>>>> Technical Services, Conexus Pty Ltd, Sydney, Australia >>>>> Ph 02 9975 2799 Fax 02 9975 2799          :) >>>>> ------------------------------------------------------------------ >>>>> >>>>> >>>>> >>>>> ------------------------------------------------------------- >>>>> This message is sent to you because you are subscribed to >>>>> the mailing list . >>>>> To unsubscribe, E-mail to: >>>>> To switch to the DIGEST mode, E-mail to >>>>> >>>>> Web Archive of this list is at: http://webdna.smithmicro.com/ >>>>> >>>> >>>> >>>> >>>> ------------------------------------------------------------- >>>> This message is sent to you because you are subscribed to >>>> the mailing list . >>>> To unsubscribe, E-mail to: >>>> To switch to the DIGEST mode, E-mail to >>>> >>>> Web Archive of this list is at: http://webdna.smithmicro.com/ >>>> >>> >>> >>> >>> ------------------------------------------------------------- >>> This message is sent to you because you are subscribed to >>> the mailing list . >>> To unsubscribe, E-mail to: >>> To switch to the DIGEST mode, E-mail to >>> >>> Web Archive of this list is at: http://webdna.smithmicro.com/ >>> >> >> >> ------------------------------------------------------------- >> This message is sent to you because you are subscribed to >> the mailing list . >> To unsubscribe, E-mail to: >> To switch to the DIGEST mode, E-mail to >> >> Web Archive of this list is at: http://webdna.smithmicro.com/ >> > > > > ------------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > To switch to the DIGEST mode, E-mail to > > Web Archive of this list is at: http://webdna.smithmicro.com/ > ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ Tim Robinson

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

I think WebDNA-Talk died ... :( (1997) Date Question (2002) Friendly , quick 'security' check, please (2003) FORMS: Returning a specific page (1997) WebCatalog stalls (1998) RE: WebCatalog NT beta 18 now available (1997) WebCat2 - many [carts] on one template page? (1997) Physical Security for WebCatalog Directories (1997) apparently to problem isolated (1997) Affiliate Marketing Question #2 (1998) PCS Frames (1997) Search group and ww (2003) New public beta available (1997) More Applescript (1997) Email Format (1998) Job in Wash. DC (2000) For those of you not on the WebCatalog Beta... (1997) MATH TIME (1997) Invoice in another window (1998) requiring form fields? (2000)