Clarifying POST-ing to a site - post

Say I were to post to a site using www.mysite.com?user=myuser does that simulate the submit button that is associated with that form? If so, what happens if there are a number of submit buttons in the form?
Also, if that button's html is like so <input name="button" class="button" type="button" value="Save" onclick="javascript: submit()" disabled> with the "disabled" attribute, does that mean I can't POST www.mysite.com?user=myuser/won't work?
<form name="Form" method="post" action="/thisAction.do">
<input type="text" name="inquiryNo" maxlength="11" value="" onkeyup="javascript: checkNo()">
<input name="buttonInquire" class="button" value="Inquire" onclick="javascript: submitInquire()" type="button">
<!--Then comes a number of other inputs-->
<input.../>
<input.../>
<input.../>
<input name="modify" class="button" type="button" value="Save"
onclick="javascript: submitModify()" disabled>
</form>
This is some sample code as it's work stuff which I am not allowed to share. So when I use the inquire action a new account successfully loads up and the details are presented on the page. The modify action is meant to 'modify' those details but it just returns the same details displayed on the page. I get no sort of feedback from anything.

You can POST to a URL with a query string (the stuff after the ?), and since you say you're using urllib2 with a data argument, that's what happens. The server can then read both the POST data and the query string and do whatever it wants, though most of the time they're merged together or the query string is ignored entirely.
disabled only stops you from clicking the button in the browser (and even then, you can just un-disable it with a tool like Firebug). You can POST whatever you want to any URL you want; HTML can't stop you, though the server can still give you an error if it wants.
I think your problem is that "inquire" is the default action, and something's wrong with your POST. So no matter what you send, the server isn't recognizing it and is falling back to "inquire".
It looks like the form is intended to send modify=Save. Can you post the Python code you're actually running?

No, what you actually typed in is a GET method.
There are 2 ways of submitting data: POST AND GET.
Post is by submitting data by using a form in a webpage that posts to another on the background, while GET is setting the data in the url itself like user=myuser.
Most of the times using a GET method (url query string) will not work if the web programmer actually is checking for a POST method. The same happens if the programmer is waiting for a GET request and you actually POST it.
However there is a php var called REQUEST which will work with GET and POST.
I'm no professional in PHP but because you had no answers at the moment I tried my best to explain it. Hopefully some expert will come along and explain it properly.
You edited your question while I was replying so you need someone to answer you on your second question.

Related

The action path of a form in Rails

The explanation below is big, but the question is really simple.
I'm doing a simple form project in https://www.theodinproject.com/paths/full-stack-ruby-on-rails/courses/ruby-on-rails/lessons/forms.
The first part where I am, I need to build a form manually - so that I can see how Rails does a lot for me when I use its helper methods.
I'm stuck in this point:
Specify the method and the action attributes in your tag (use $ rails routes to see which HTTP method and path are being expected based on the resource you created).
The routes.rb file looks like this:
resources :users, only: [:create, :new]
I don't know how to determine which method should I use for the form - post or get.
I don't know how to determine which action path I should use.
I've gone into the internet, Rails guides and etc, and have solved the other topics so far, but for this one I can't get through it.
My form so far:
<form action='/create' method="post" accept-charset="UTF-8">
<label for="username"></label>
<input type="text" id="username" name="username"><br>
<label for="email"></label>
<input type="text" id="email" name="email"><br>
<label for="password"></label>
<input type="text" id="password" name="password"><br>
<input type="submit" id="submit" value="Submit" >
</form>
Once I run it in the server and then submit the form - which I did - I should get:
"Submit your form and view the server output. Oops, we don’t have the right CSRF authenticity token (ActionController::InvalidAuthenticityToken) to protect against cross site scripting attacks and form hijacking. If you do not get an error, you used the wrong method from step 1."
Yes, Rails is smart) When u are sending the request to your server, Rails must know from where this request is coming. In short, if your form sending the CSRF token then Rails understand that u send this request, otherwise someone else on your behalf (CSRF attack).
To fix this bug u need to set <%= form_authenticity_token %> in your .erb view. It will generate this input that is below
<input type="hidden" name="authenticity_token" value="your_token_generate_by_rails">
Or for your testing purposes, u can use this in your controller which is processing your request. But never use it in future if you are don't know what are u doing)
skip_before_action :verify_authenticity_token
Hi there fellow Odin student!
It looks like you're doing this lesson. Me too!
It sounds like you're asking about what value to use with action attribute in the form.
When I created a form using the Rails formHelper methods, I inspected the HTML that Rails created when I was previewing the app/website (rails s). By opening up the Developer tools (F12 key, or right click the mouse and choose inspect)I was able to see that the form Rails created had an action equal to the name of the resource, with a forward slash in front of it.
So for your example, the resource created is "users". So the action attribute would be /users
to be complete, the solution would be something like: <form action="/users"...
Hope this helps!

How rewrite URL?

I'm making a single web app.
I have a form with a POST method and an action value equal to "/login".
<form action="/login" method="POST">
<label for="mail">Email</label><input name="log" id="mail" type="text">
<label for="pass">Pass</label><input name="pass" id="pass" type="text">
<input type="submit">
When the submit button is press, server get the form, then return to the index page.
But, in the address bar, I have "local:5050/login" and would have "local:5050".
Can I remove the "login" mention ?
Since you are making a SPA, you will not want to have the POST method of the form actually complete. Generally this is done in dart by attaching a listener on the form element, within that listener you would then do a couple of things:
1) Cancel the default action (Also see: How do I prevent an on.submit event from changing/reloading the page?)
2) Get the values you're interested in from the form (or potentially take the entire form itself)
3) Send the values via an AJAX request to the server and listen for the response from the server to verify it was valid etc.
See the Dart tutorials on forms for more information on accomplishing the other steps.

Refactoring HTML Markup from POST to GET

I have the following mark up in an ASP.NET MVC view (this is a Twitter Bootstrap search box):
<form action="#Url.Action("Results", "Search")" method="post">
<input type="text" class="search-query" id="SearchTerm" name="SearchTerm" />
</form>
This code works as expected, but using a post here is causing problems.
How can I change this markup to pass the search query as a URL argument instead? I'm not really sure how to even approach this short of keeping the existing markup and then redirecting from the controller. I'm thinking there must be a more efficient way than that.
You should be able to change method="post" to method="get" and get the desired result. The form, with a get method setting, pushes the fields in the form to the querystring by its default behavior.
As a workaround, if the default behavior doesn't suit you, you could catch the submit event of the form, and do:
window.location = form.action + "?SearchTerm=" + document.getElementById("SearchTerm").value
Something like that, where form is a reference to the form element. You can build the link and redirect using javascript, which is a get request.

Users requesting GET when my form method is POST

I'm seeing an intermittent problem on our web site. Some users are trying to submit forms via GET when my form method is POST. The errors always come from IE users. I have noticed a few UA strings have a reference to "yie8," which I am assuming is Yahoo's IE8 package. I think the Yahoo! toolbar might have something against me, but I can't replicate the problem on IE7 with the toolbar installed. The problem happens not only on this form, but various others, many of which are submitted via Ajax using the jQuery form plugin load() function with an object parameter passed. This example isn't one of those.
A simple fix would be to just take out all of my AcceptVerb() attributes, but that would be totally lame. Anyone ever come across something like this or have any ideas with dealing with it?
Here's an example exception log entry.
We've got a Web problem! Exception thrown:
http://my.web.site/User.mvc/ResetPassword
Method: GET
User: <not logged in>
UserAgent: IE 7 (Mozilla/4.0 (compatible; MSIE 7.0;Windows NT 5.1;.NET CLR 1.1.4322;.NET CLR 2.0.50727;.NET CLR 3.0.04506.30))
Exception: System.Web.HttpException
Message: A public action method 'ResetPassword' could not be found on controller 'MyApp.Controllers.UserController'.
Here's the HTML as it is rendered to the browser.
<form action="/User.mvc/ResetPassword" class="standard-form small-form" method="post">
<fieldset>
<div class="row">
<label for="usernameTextBox">User Name</label>
<input type="text" name="username" id="usernameTextBox" />
</div>
<div class="row">
<label for="emailTextBox">Email Address</label>
<input type="text" name="email" id="emailTextBox" />
</div>
<div class="row">
<label> </label>
<input type="submit" value="Reset Password" />
</div>
</fieldset>
</form>
And here's the signature of my ResetPassword action.
[AcceptVerbs(HttpVerbs.Post)]
public ActionResult ResetPassword(string username, string email)
(and yes, the email address is required to match the one we have on file)
Possibly an answer raising more questions than actual answers, but in the spirit of trying to help...
On the GET calls, are "username" and "email" querystring parameters actually supplied? (your IIS log file may be recording query strings, so check there). If so, then the answer of Ben S may well apply.
If your web site is internet facing, then these calls may just be spiders not playing nicely.
If your site is internal, I'd suspect a user is playing with "refresh".
Have you tracked the client IP addresses which raise these errors?
I don't think you can do anything about this. Some browser plug-ins/toolbars have a feature which allows changing forms from GET -> POST and vice-versa.
If your users are doing this, there isn't really anything you can do.
When website visitors misbehave like this, you have to ask yourself, "What are the chances this is a legitimate misunderstanding?" In my opinion, using the wrong HTTP method is not something a browser does because it's old or buggy or whatever. It's an invalid request, so send 'em a 405 and be done with it.
(I have heard of some browsers and plugins trying to 'preload' pages that are reachable from the current page, but it's a lame 'feature'. My answer is still to treat it as an invalid request.)
I'd say it isn't really your problem. You design your site to work as intended, you put your GET/POST restrictions on your methods (for security or other reasons).
If the user tries to get around your security with some advanced tools/plugins (such as GET/POST switches) it's not your concern. You might want, however, to add some custom error pages to handle those scenarios and warn the user accordingly.

Insert cakephp POST params into URL

I have this form below which contains two checkboxes to sort some products:
<form id="FiltreExtraForm" action="" method="post" name="FiltreExtraForm">
<input id="ProductsDeliveryPrice" type="checkbox" value="1" name="data[Products][delivery_price]"/>
<input id="ProductsPicture" type="checkbox" value="1" name="data[Products][picture]"/>
</form>
After POST I do the filtering but I also want to add received parameters to URL E.g: /products/index/delivery_price:1/picture:0 . Is this possible. How can I do that?
Note: I don't want to use GET to send form info.
Sounds like you are looking to do a Post/Redirect/Get.
Here are two examples of doing this in CakePHP:
Searching on surname
Searching on multiple fields
The two main advantages of redirecting a POST to a GET request are:
Users don't get the "Do you want to resubmit?" dialog if they refresh
The resulting page/query can be bookmarked
In the action to which you post, you could simply prepare the GET url and then redirect to this url. The action for that url then does the filtering.
If I understand you correctly (and I'm not sure that I do), you can pass additional variables on the query string of the form's action quite easily. Conventionally, that might look like this:
<form id="FiltreExtraForm" action="/products/index?delivery_price=1&picture=0" method="post" name="FiltreExtraForm">
Using Cake, you should be able to do the same without the traditional query string if you'd rather (though the traditional method above will also work):
<form id="FiltreExtraForm" action="/products/index/delivery_price:1/picture:0" method="post" name="FiltreExtraForm">
I would recommend looking at the form helper or at least constructing the action URI using helpers, but this should get you what you're after.

Resources