Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP General > Detecting a form's POST

Reply
Thread Tools

Detecting a form's POST

 
 
MDW
Guest
Posts: n/a
 
      07-07-2003
Say I've got a page - myPage.asp - that expects to see the
results of a form's POST operation. If it comes from the
form, all is fine.

However, if someone were to manually type the address in
the address bar - http://www.mysite.com/myPage.asp - I'd
like to be able to detect that they're trying to
circumvent the form and redirect them to the appropriate
page using Response.Redirect().

What's the best way to tell whether a page is coming as
the result of a POST operation?
 
Reply With Quote
 
 
 
 
Ray at
Guest
Posts: n/a
 
      07-07-2003
Request.ServerVariables("REQUEST_METHOD") will tell you if it was posted or
getted (?). But, I can make C:\PathOnMyComputer\page.htm with:

<form method="post" action="http://www.yoursite.com/yourpage.asp"> and post
to it.

Ray at work

"MDW" <(E-Mail Removed)> wrote in message
news:776801c34499$33c80f20$(E-Mail Removed)...
> Say I've got a page - myPage.asp - that expects to see the
> results of a form's POST operation. If it comes from the
> form, all is fine.
>
> However, if someone were to manually type the address in
> the address bar - http://www.mysite.com/myPage.asp - I'd
> like to be able to detect that they're trying to
> circumvent the form and redirect them to the appropriate
> page using Response.Redirect().
>
> What's the best way to tell whether a page is coming as
> the result of a POST operation?



 
Reply With Quote
 
 
 
 
MDW
Guest
Posts: n/a
 
      07-07-2003
Hmmmm....

What about something like this:

strID = Request.Form
("ImportantValueWithoutWhichPageWouldntWork")

If strID = "" Then

Response.Redirect("useTheFormYouDope.asp")

End If



>-----Original Message-----
>Request.ServerVariables("REQUEST_METHOD") will tell you

if it was posted or
>getted (?). But, I can make C:\PathOnMyComputer\page.htm

with:
>
><form method="post"

action="http://www.yoursite.com/yourpage.asp"> and post
>to it.
>
>Ray at work
>
>"MDW" <(E-Mail Removed)> wrote in message
>news:776801c34499$33c80f20$(E-Mail Removed)...
>> Say I've got a page - myPage.asp - that expects to see

the
>> results of a form's POST operation. If it comes from the
>> form, all is fine.
>>
>> However, if someone were to manually type the address in
>> the address bar - http://www.mysite.com/myPage.asp - I'd
>> like to be able to detect that they're trying to
>> circumvent the form and redirect them to the appropriate
>> page using Response.Redirect().
>>
>> What's the best way to tell whether a page is coming as
>> the result of a POST operation?

>
>
>.
>

 
Reply With Quote
 
Randy R
Guest
Posts: n/a
 
      07-07-2003
> What's the best way to tell whether a page is coming as
> the result of a POST operation?


What about setting a session variable on the page where the form is and
checking if that session variable is valid on the next page. If it's not,
then you can redirect them back to the form.


 
Reply With Quote
 
Ray at
Guest
Posts: n/a
 
      07-07-2003
That would work, but, I could put <input
value="ImportantValueWithoutWhichPageWouldntWork"> in my form as well. Have
you seen those "validation ticket" things on websites where you have to
enter a string of characters into a textbox on the form from reading an
image that contains the string of characters? IE, go to www.godaddy.com,
look up a domain that is taken, and then do a whois. You have to enter a
ticket number. I think you'd have to do something like that to be 100% sure
that the person is submitting from your form.

You could also use cookies or sessions to be 99% sure.

Also, you could write a cookie on the page with your form that is a random
string and another one with an ID and also store that value in a DB,
temporarily. Then, when the form is sumitted, you could look up the cookie
ID in the database and see if the random string matches from the DB and the
other cookie that the client sent.

Ray at work

"MDW" <(E-Mail Removed)> wrote in message
news:0af401c3449a$d45b4730$(E-Mail Removed)...
> Hmmmm....
>
> What about something like this:
>
> strID = Request.Form
> ("ImportantValueWithoutWhichPageWouldntWork")
>
> If strID = "" Then
>
> Response.Redirect("useTheFormYouDope.asp")
>
> End If
>
>
>
> >-----Original Message-----
> >Request.ServerVariables("REQUEST_METHOD") will tell you

> if it was posted or
> >getted (?). But, I can make C:\PathOnMyComputer\page.htm

> with:
> >
> ><form method="post"

> action="http://www.yoursite.com/yourpage.asp"> and post
> >to it.
> >
> >Ray at work
> >
> >"MDW" <(E-Mail Removed)> wrote in message
> >news:776801c34499$33c80f20$(E-Mail Removed)...
> >> Say I've got a page - myPage.asp - that expects to see

> the
> >> results of a form's POST operation. If it comes from the
> >> form, all is fine.
> >>
> >> However, if someone were to manually type the address in
> >> the address bar - http://www.mysite.com/myPage.asp - I'd
> >> like to be able to detect that they're trying to
> >> circumvent the form and redirect them to the appropriate
> >> page using Response.Redirect().
> >>
> >> What's the best way to tell whether a page is coming as
> >> the result of a POST operation?

> >
> >
> >.
> >



 
Reply With Quote
 
MDW
Guest
Posts: n/a
 
      07-07-2003
Yeah, I could do that. But in all honesty.... *L* If
someone is trying to fool my site like that, they must be
REALLY bored.

Thx for the ideas. I'll play around, probably do some
combination of them. Just trying to idiot-proof my site.


>-----Original Message-----
>That would work, but, I could put <input
>value="ImportantValueWithoutWhichPageWouldntWork" > in my

form as well. Have
>you seen those "validation ticket" things on websites

where you have to
>enter a string of characters into a textbox on the form

from reading an
>image that contains the string of characters? IE, go to

www.godaddy.com,
>look up a domain that is taken, and then do a whois. You

have to enter a
>ticket number. I think you'd have to do something like

that to be 100% sure
>that the person is submitting from your form.
>
>You could also use cookies or sessions to be 99% sure.
>
>Also, you could write a cookie on the page with your form

that is a random
>string and another one with an ID and also store that

value in a DB,
>temporarily. Then, when the form is sumitted, you could

look up the cookie
>ID in the database and see if the random string matches

from the DB and the
>other cookie that the client sent.
>
>Ray at work
>
>"MDW" <(E-Mail Removed)> wrote in message
>news:0af401c3449a$d45b4730$(E-Mail Removed)...
>> Hmmmm....
>>
>> What about something like this:
>>
>> strID = Request.Form
>> ("ImportantValueWithoutWhichPageWouldntWork")
>>
>> If strID = "" Then
>>
>> Response.Redirect("useTheFormYouDope.asp")
>>
>> End If
>>
>>
>>
>> >-----Original Message-----
>> >Request.ServerVariables("REQUEST_METHOD") will tell you

>> if it was posted or
>> >getted (?). But, I can make

C:\PathOnMyComputer\page.htm
>> with:
>> >
>> ><form method="post"

>> action="http://www.yoursite.com/yourpage.asp"> and post
>> >to it.
>> >
>> >Ray at work
>> >
>> >"MDW" <(E-Mail Removed)> wrote in message
>> >news:776801c34499$33c80f20$(E-Mail Removed)...
>> >> Say I've got a page - myPage.asp - that expects to

see
>> the
>> >> results of a form's POST operation. If it comes from

the
>> >> form, all is fine.
>> >>
>> >> However, if someone were to manually type the

address in
>> >> the address bar - http://www.mysite.com/myPage.asp -

I'd
>> >> like to be able to detect that they're trying to
>> >> circumvent the form and redirect them to the

appropriate
>> >> page using Response.Redirect().
>> >>
>> >> What's the best way to tell whether a page is coming

as
>> >> the result of a POST operation?
>> >
>> >
>> >.
>> >

>
>
>.
>

 
Reply With Quote
 
Ray at
Guest
Posts: n/a
 
      07-07-2003
Yeah, I mean, if you think about it, what harm can be done? They still can
only submit what your site will accept. Just control field lengths and
things on the server instead of relying on things like "maxlength" in the
inputs, and everything should be okay.

Ray at work

"MDW" <(E-Mail Removed)> wrote in message
news:01d701c3449f$a9fd3b60$(E-Mail Removed)...
> Yeah, I could do that. But in all honesty.... *L* If
> someone is trying to fool my site like that, they must be
> REALLY bored.
>
> Thx for the ideas. I'll play around, probably do some
> combination of them. Just trying to idiot-proof my site.
>
>
> >-----Original Message-----
> >That would work, but, I could put <input
> >value="ImportantValueWithoutWhichPageWouldntWork" > in my

> form as well. Have
> >you seen those "validation ticket" things on websites

> where you have to
> >enter a string of characters into a textbox on the form

> from reading an
> >image that contains the string of characters? IE, go to

> www.godaddy.com,
> >look up a domain that is taken, and then do a whois. You

> have to enter a
> >ticket number. I think you'd have to do something like

> that to be 100% sure
> >that the person is submitting from your form.
> >
> >You could also use cookies or sessions to be 99% sure.
> >
> >Also, you could write a cookie on the page with your form

> that is a random
> >string and another one with an ID and also store that

> value in a DB,
> >temporarily. Then, when the form is sumitted, you could

> look up the cookie
> >ID in the database and see if the random string matches

> from the DB and the
> >other cookie that the client sent.
> >
> >Ray at work
> >
> >"MDW" <(E-Mail Removed)> wrote in message
> >news:0af401c3449a$d45b4730$(E-Mail Removed)...
> >> Hmmmm....
> >>
> >> What about something like this:
> >>
> >> strID = Request.Form
> >> ("ImportantValueWithoutWhichPageWouldntWork")
> >>
> >> If strID = "" Then
> >>
> >> Response.Redirect("useTheFormYouDope.asp")
> >>
> >> End If
> >>
> >>
> >>
> >> >-----Original Message-----
> >> >Request.ServerVariables("REQUEST_METHOD") will tell you
> >> if it was posted or
> >> >getted (?). But, I can make

> C:\PathOnMyComputer\page.htm
> >> with:
> >> >
> >> ><form method="post"
> >> action="http://www.yoursite.com/yourpage.asp"> and post
> >> >to it.
> >> >
> >> >Ray at work
> >> >
> >> >"MDW" <(E-Mail Removed)> wrote in message
> >> >news:776801c34499$33c80f20$(E-Mail Removed)...
> >> >> Say I've got a page - myPage.asp - that expects to

> see
> >> the
> >> >> results of a form's POST operation. If it comes from

> the
> >> >> form, all is fine.
> >> >>
> >> >> However, if someone were to manually type the

> address in
> >> >> the address bar - http://www.mysite.com/myPage.asp -

> I'd
> >> >> like to be able to detect that they're trying to
> >> >> circumvent the form and redirect them to the

> appropriate
> >> >> page using Response.Redirect().
> >> >>
> >> >> What's the best way to tell whether a page is coming

> as
> >> >> the result of a POST operation?
> >> >
> >> >
> >> >.
> >> >

> >
> >
> >.
> >



 
Reply With Quote
 
Evertjan.
Guest
Posts: n/a
 
      07-07-2003
MDW wrote on 07 jul 2003 in microsoft.public.inetserver.asp.general:

> Hmmmm....
>
> What about something like this:
>
> strID = Request.Form
> ("ImportantValueWithoutWhichPageWouldntWork")
>
> If strID = "" Then
>
> Response.Redirect("useTheFormYouDope.asp")
>
> End If
>


I would add a test of Request.ServerVariables("HTTP_REFERER") [yes, I know
this sometimes fails] to acertain that the posting page was mine.

--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)
 
Reply With Quote
 
Mosley
Guest
Posts: n/a
 
      07-07-2003

"MDW" <(E-Mail Removed)> wrote in message
news:01d701c3449f$a9fd3b60$(E-Mail Removed)...
> Yeah, I could do that. But in all honesty.... *L* If
> someone is trying to fool my site like that, they must be
> REALLY bored.



why dont you use rays idea
Request.ServerVariables("REQUEST_METHOD")

With
Request.ServerVariables("HTTP_REFERER")
as well

that will tell you the method used and what page it came from


>
> Thx for the ideas. I'll play around, probably do some
> combination of them. Just trying to idiot-proof my site.
>
>
> >-----Original Message-----
> >That would work, but, I could put <input
> >value="ImportantValueWithoutWhichPageWouldntWork" > in my

> form as well. Have
> >you seen those "validation ticket" things on websites

> where you have to
> >enter a string of characters into a textbox on the form

> from reading an
> >image that contains the string of characters? IE, go to

> www.godaddy.com,
> >look up a domain that is taken, and then do a whois. You

> have to enter a
> >ticket number. I think you'd have to do something like

> that to be 100% sure
> >that the person is submitting from your form.
> >
> >You could also use cookies or sessions to be 99% sure.
> >
> >Also, you could write a cookie on the page with your form

> that is a random
> >string and another one with an ID and also store that

> value in a DB,
> >temporarily. Then, when the form is sumitted, you could

> look up the cookie
> >ID in the database and see if the random string matches

> from the DB and the
> >other cookie that the client sent.
> >
> >Ray at work
> >
> >"MDW" <(E-Mail Removed)> wrote in message
> >news:0af401c3449a$d45b4730$(E-Mail Removed)...
> >> Hmmmm....
> >>
> >> What about something like this:
> >>
> >> strID = Request.Form
> >> ("ImportantValueWithoutWhichPageWouldntWork")
> >>
> >> If strID = "" Then
> >>
> >> Response.Redirect("useTheFormYouDope.asp")
> >>
> >> End If
> >>
> >>
> >>
> >> >-----Original Message-----
> >> >Request.ServerVariables("REQUEST_METHOD") will tell you
> >> if it was posted or
> >> >getted (?). But, I can make

> C:\PathOnMyComputer\page.htm
> >> with:
> >> >
> >> ><form method="post"
> >> action="http://www.yoursite.com/yourpage.asp"> and post
> >> >to it.
> >> >
> >> >Ray at work
> >> >
> >> >"MDW" <(E-Mail Removed)> wrote in message
> >> >news:776801c34499$33c80f20$(E-Mail Removed)...
> >> >> Say I've got a page - myPage.asp - that expects to

> see
> >> the
> >> >> results of a form's POST operation. If it comes from

> the
> >> >> form, all is fine.
> >> >>
> >> >> However, if someone were to manually type the

> address in
> >> >> the address bar - http://www.mysite.com/myPage.asp -

> I'd
> >> >> like to be able to detect that they're trying to
> >> >> circumvent the form and redirect them to the

> appropriate
> >> >> page using Response.Redirect().
> >> >>
> >> >> What's the best way to tell whether a page is coming

> as
> >> >> the result of a POST operation?
> >> >
> >> >
> >> >.
> >> >

> >
> >
> >.
> >



 
Reply With Quote
 
Dave Anderson
Guest
Posts: n/a
 
      07-07-2003
"Randy R" wrote:
>>
>> What's the best way to tell whether a page is coming as
>> the result of a POST operation?

>
> What about setting a session variable on the page where the
> form is and checking if that session variable is valid on
> the next page. If it's not, then you can redirect them back
> to the form.


This only tests whether there is a valid session, not whether the form
submission originated from one of his pages. Certainly a user could have a
valid session, yet still submit a request from a self-created form.

The short answer to the original question is that there is little you can
ever safely assume about the content of the request. Your application design
should reflect this.

Evaluate the request in its entirety, always assuming the user constructed
the request himself. Most of the things you can do take little more than
common sense: Ask yourself which items could be spoofed and with what
likelihood (session cookies are more difficult to guess/spoof than form
name-value pairs, for example). Make sure REMOTE_HOST hasn't changed since
the session was generated. Use SSL where security is *really* needed.


--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms. Please do not contact
me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Modelsim post place and route/Post Translate issues Sridhar Hegde VHDL 2 09-13-2004 02:43 PM
Detecting values that have changes on a post back Simon Harvey ASP .Net 2 04-29-2004 09:12 AM
wlftg17 modelsim temp file beeing too big (corret post, ignore the old post) Oleg VHDL 0 04-05-2004 03:31 AM
Post post post. Shel-hed Computer Support 2 11-08-2003 07:41 AM
asp.net C# payflowlink post and capturing silent post khawar ASP .Net 2 10-28-2003 08:41 PM



Advertisments