FORM POST submission

C

Cognition Peon

Hi,

I have followed the example in the perlfaq to automate
a post form submission:

#!/usr/bin/perl

use HTTP::Request::Common qw(POST);
use LWP::UserAgent;

$ua = LWP::UserAgent->new();
my $req = POST 'http://68.0.148.101:8055/login.html',
[ userid => 'File', password => 'pass'];
$content = $ua->request($req)->as_string;

HTML for the form is in the following file
http://68.0.148.101:8055/login.html

upon submission it must goto
http://68.0.148.101:8055/index.html

I am expecting the $content variable to have
the content of index.html but its getting login.html

I didn't find anybody who had similar problem.. and
its quite frustrating because it is a very simple
form submission page.

Thanks,
Prakash.
 
A

Andrew V. Tkachenko

I'm not sure its a good idea to pass passwords through GET method. They
may be viewed in log files either by admin or by successfull hacker :)
Also, in our case putting GET instead of POST looks like a dirty hack :)



Gregory said:
Andrew V. Tkachenko wrote:

If you will check source of http://68.0.148.101:8055/login.html
you will see that 'action' is not 'http://68.0.148.101:8055/login.html'
but 'http://68.0.148.101:8055/index.html'


my $req = POST 'http://68.0.148.101:8055/index.html',
[ userid => 'File', password => 'pass'];


And even its it its POST, you can often get away with
http://68.0.148.101:8055/index.html?userid=XXX&password=YYYY

gtoomey
 
A

Andrew V. Tkachenko

Heh. forget it. POST queries are also visible in logs .
I'm not sure its a good idea to pass passwords through GET method. They
may be viewed in log files either by admin or by successfull hacker :)
Also, in our case putting GET instead of POST looks like a dirty hack :)



Gregory said:
Andrew V. Tkachenko wrote:

If you will check source of http://68.0.148.101:8055/login.html
you will see that 'action' is not 'http://68.0.148.101:8055/login.html'
but 'http://68.0.148.101:8055/index.html'


my $req = POST 'http://68.0.148.101:8055/index.html',
[ userid => 'File', password => 'pass'];


And even its it its POST, you can often get away with
http://68.0.148.101:8055/index.html?userid=XXX&password=YYYY

gtoomey
 
C

Cognition Peon

Thanks for your response... but I always thought that action should point
to the page where form data will be submitted to.. Upon submission I want
the login.html page to goto index.html

you can test its behaviour at http://68.0.148.101:8055/login.html
it goes to index.html upon entering a random username and password.

Thanks.
Prakash.

Tomorrow, IP packets from Andrew V. Tkachenko delivered:
If you will check source of http://68.0.148.101:8055/login.html
you will see that 'action' is not 'http://68.0.148.101:8055/login.html'
but 'http://68.0.148.101:8055/index.html'


my $req = POST 'http://68.0.148.101:8055/index.html',
[ userid => 'File', password => 'pass'];



Cognition said:
Hi,

I have followed the example in the perlfaq to automate
a post form submission:

#!/usr/bin/perl

use HTTP::Request::Common qw(POST);
use LWP::UserAgent;

$ua = LWP::UserAgent->new();
my $req = POST 'http://68.0.148.101:8055/login.html',
[ userid => 'File', password => 'pass'];
$content = $ua->request($req)->as_string;

HTML for the form is in the following file
http://68.0.148.101:8055/login.html

upon submission it must goto
http://68.0.148.101:8055/index.html

I am expecting the $content variable to have
the content of index.html but its getting login.html

I didn't find anybody who had similar problem.. and
its quite frustrating because it is a very simple
form submission page.

Thanks,
Prakash.
 
C

Cognition Peon

Please ignore my last question.. Thanks for the help.. Now I understood
after testing it on apage which accepts form variables submitted from
login.html

Thanks,
prakash

6:22pm, IP packets from Cognition Peon delivered:
Thanks for your response... but I always thought that action should point
to the page where form data will be submitted to.. Upon submission I want
the login.html page to goto index.html

you can test its behaviour at http://68.0.148.101:8055/login.html
it goes to index.html upon entering a random username and password.

Thanks.
Prakash.

Tomorrow, IP packets from Andrew V. Tkachenko delivered:
If you will check source of http://68.0.148.101:8055/login.html
you will see that 'action' is not 'http://68.0.148.101:8055/login.html'
but 'http://68.0.148.101:8055/index.html'


my $req = POST 'http://68.0.148.101:8055/index.html',
[ userid => 'File', password => 'pass'];



Cognition said:
Hi,

I have followed the example in the perlfaq to automate
a post form submission:

#!/usr/bin/perl

use HTTP::Request::Common qw(POST);
use LWP::UserAgent;

$ua = LWP::UserAgent->new();
my $req = POST 'http://68.0.148.101:8055/login.html',
[ userid => 'File', password => 'pass'];
$content = $ua->request($req)->as_string;

HTML for the form is in the following file
http://68.0.148.101:8055/login.html

upon submission it must goto
http://68.0.148.101:8055/index.html

I am expecting the $content variable to have
the content of index.html but its getting login.html

I didn't find anybody who had similar problem.. and
its quite frustrating because it is a very simple
form submission page.

Thanks,
Prakash.
 
G

Gregory Toomey

Andrew said:
I'm not sure its a good idea to pass passwords through GET method. They
may be viewed in log files either by admin or by successfull hacker :)

GET and POST offer the same level of security (ie none) unless you are using
https.
Also, in our case putting GET instead of POST looks like a dirty hack :)

And your solution isn't? Its just very basic html.

BTW, there's also a syntax to supply userid & password in the URL when using
basic authentication ie those pop up boxes the browser gives you for some
sites. The syntax to logon would be:
http://userid:[email protected]/rest-of-url

gtoomey
 
A

Alan J. Flavell

There's a generic URL syntax for providing passwords as part of a URL,
and such passwords would indeed get logged; but for the http://
scheme, the use of this generic syntax is explicitly excluded. Basic
authentication credentials are supposed to be provided in response to
401 status (which in a typical browser would result in a user dialog).
Such credentials (passwords) are NOT logged, unless the server admin
has gone crazy.

The above is true irrespective of GET or POST. Sure, the actual
software implementations _do_ support supplying credentials as part of
the URL, despite the specifications ruling them out for http://, but
the fact that they're implemented doesn't mean it's a good idea to use
them (except maybe for special cases such as guest:guest).

Nevertheless, the credentials will be passed over the network "in
clear", and are thus insecure on the end-to-end path, unless https is
used.
GET and POST offer the same level of security (ie none) unless you
are using https.

Even there, if some idiot server admin decided to log the passwords,
all bets would be off. https only provides security over the network
path. You need some other kind of authentication if it's to be proof
against snoopers on the same machine.
BTW, there's also a syntax to supply userid & password in the URL when using
basic authentication ie those pop up boxes the browser gives you for some
sites. The syntax to logon would be:
http://userid:[email protected]/rest-of-url

That's exactly the problem, and that's exactly why the http:// URL
rules out this usage, even though it's defined in the generic URL
syntax.

(For URL read "URI", if you are so inclined ;-)

ref: rfc1738 section 3.1 "Common Internet Scheme Syntax" and
3.3 "HTTP". The latter says specifically:

| No user name or password is allowed.

(, not that implementers have felt themselves much constrained by this
prohibition.)

I think you'll find this confirmed in later RFCs.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,731
Messages
2,569,432
Members
44,832
Latest member
GlennSmall

Latest Threads

Top