«

Hi,

I'm just learning how to use the XmlHttpRequest object. Very cool.
However, I'm wondering how I can call a specific server-side method.
For example, say I have a method defined as follows on an ASP.NET
code-behind file

public string GetServerTime()
{
return DateTime.Now.ToShortTimeShort();
}

Would I have to change the request method to POST? Could someone post
an example please? Or can I simply not call a method, and have to call
the method from the Page_Load event?

Cyphos wrote:

> I'm just learning how to use the XmlHttpRequest object. Very cool.
> However, I'm wondering how I can call a specific server-side method.

You cannot do that directly.

> For example, say I have a method defined as follows on an ASP.NET
> code-behind file
>
> public string GetServerTime()
> {
> return DateTime.Now.ToShortTimeShort();
> }
>
> Would I have to change the request method to POST? Could someone post
> an example please? Or can I simply not call a method, and have to call
> the method from the Page_Load event?

Either question has to be answered with: You have not yet understood how
XMLHTTPRequest works. Here it is in short: it sends a request to a host
which is running a HTTP server, returns information about the request
status and the server reply. Nothing more, nothing less.

So if you want to call a specific server-side method, that has to be done
server-side in an (ASP.NET) application that is executed when the specific
resource is requested, such as

<%@ LANGUAGE = JScript %>
<%= GetServerTime() %>

(Even though the interface is named XMLHttpRequest, you do not need to
return XML content; any output will do.)


HTH

PointedEars

Cyphos wrote:

> I'm just learning how to use the XmlHttpRequest object. Very cool.
> However, I'm wondering how I can call a specific server-side method.

You would have to construct which would cause the server side script to
execute that method. This is most easily achieved by specifing it in the
query string (and altering the server side script to check that query
string parameter).

--
David Dorward <http://blog.dorward.me.uk/> <http://dorward.me.uk/>
Home is where the ~/.bashrc is

David Dorward wrote:

> Cyphos wrote:
>> I'm just learning how to use the XmlHttpRequest object. Very cool.
>> However, I'm wondering how I can call a specific server-side method.
>
> You would have to construct which would cause the server side script to
> execute that method. This is most easily achieved by specifing it in the
> query string (and altering the server side script to check that query
> string parameter).

Which of course would be potentially dangerous since an attacker
could then probably execute arbitrary code server-side:

http://foo.bar/baz.asp?delete_all_files%28%29


PointedEars

Thomas 'PointedEars' Lahn said the following on 11/3/2005 4:21 AM:

> David Dorward wrote:
>
>
>>Cyphos wrote:
>>
>>>I'm just learning how to use the XmlHttpRequest object. Very cool.
>>>However, I'm wondering how I can call a specific server-side method.
>>
>>You would have to construct which would cause the server side script to
>>execute that method. This is most easily achieved by specifing it in the
>>query string (and altering the server side script to check that query
>>string parameter).
>
>
> Which of course would be potentially dangerous since an attacker
> could then probably execute arbitrary code server-side:
>
> http://foo.bar/baz.asp?delete_all_files%28%29

Only if you are stupid enough to allow it.

--
Randy
comp.lang.javascript FAQ - http://jibbering.com/faq & newsgroup weekly
Javascript Best Practices - http://www.JavascriptToolbox.com/bestpractices/

Cyphos wrote:
> Hi,
>
> I'm just learning how to use the XmlHttpRequest object. Very cool.
> However, I'm wondering how I can call a specific server-side method.
> For example, say I have a method defined as follows on an ASP.NET
> code-behind file
>
> public string GetServerTime()
> {
> return DateTime.Now.ToShortTimeShort();
> }
>
> Would I have to change the request method to POST? Could someone post
> an example please? Or can I simply not call a method, and have to call
> the method from the Page_Load event?

You can use WebService behavior:
<http://msdn.microsoft.com/library/default.asp?url=/workshop/author/webservice/overview.asp>

Thomas 'PointedEars' Lahn wrote:

>> You would have to construct which would cause the server side script to
>> execute that method. This is most easily achieved by specifing it in the
>> query string (and altering the server side script to check that query
>> string parameter).

> Which of course would be potentially dangerous since an attacker
> could then probably execute arbitrary code server-side:
>
> http://foo.bar/baz.asp?delete_all_files%28%29

Easily avoided... Just don't include the code:

if ($action eq "delete_all_files") {
system('rm -rf /');
}


--
David Dorward <http://blog.dorward.me.uk/> <http://dorward.me.uk/>
Home is where the ~/.bashrc is

David Dorward wrote:

> Thomas 'PointedEars' Lahn wrote:
>>> You would have to construct which would cause the server side script to
>>> execute that method. This is most easily achieved by specifing it in the
>>> query string (and altering the server side script to check that query
>>> string parameter).
>
>> Which of course would be potentially dangerous since an attacker
>> could then probably execute arbitrary code server-side:
>>
>> http://foo.bar/baz.asp?delete_all_files%28%29
>
> Easily avoided... Just don't include the code:
>
> if ($action eq "delete_all_files") {
> system('rm -rf /');
> }

Which proves my point. GET is dangerous here. POST ist less dangerous.
Even less dangerous would be something like a confirmation document or
server-side sessions or ...


PointedEars