How to call a specific server-side method?

[Cyphos]

Hi,

I'm just learning how to use the XmlHttpRequest object. Very cool.
However, I'm wondering how I can call a specific server-side method.
For example, say I have a method defined as follows on an ASP.NET
code-behind file

public string GetServerTime()
{
return DateTime.Now.ToShortTimeShort();
}

Would I have to change the request method to POST? Could someone post
an example please? Or can I simply not call a method, and have to call
the method from the Page_Load event?

 

[Thomas 'PointedEars' Lahn]

I'm just learning how to use the XmlHttpRequest object. Very cool.
However, I'm wondering how I can call a specific server-side method.

You cannot do that directly.

For example, say I have a method defined as follows on an ASP.NET
code-behind file

public string GetServerTime()
{
return DateTime.Now.ToShortTimeShort();
}

Would I have to change the request method to POST? Could someone post
an example please? Or can I simply not call a method, and have to call
the method from the Page_Load event?

Either question has to be answered with: You have not yet understood how
XMLHTTPRequest works. Here it is in short: it sends a request to a host
which is running a HTTP server, returns information about the request
status and the server reply. Nothing more, nothing less.

So if you want to call a specific server-side method, that has to be done
server-side in an (ASP.NET) application that is executed when the specific
resource is requested, such as

<%@ LANGUAGE = JScript %>
<%= GetServerTime() %>

(Even though the interface is named XMLHttpRequest, you do not need to
return XML content; any output will do.)


HTH

PointedEars

 

[David Dorward]

I'm just learning how to use the XmlHttpRequest object. Very cool.
However, I'm wondering how I can call a specific server-side method.

You would have to construct which would cause the server side script to
execute that method. This is most easily achieved by specifing it in the
query string (and altering the server side script to check that query
string parameter).

 

[Thomas 'PointedEars' Lahn]

You would have to construct which would cause the server side script to
execute that method. This is most easily achieved by specifing it in the
query string (and altering the server side script to check that query
string parameter).

Which of course would be potentially dangerous since an attacker
could then probably execute arbitrary code server-side:

http://foo.bar/baz.asp?delete_all_files()


PointedEars

 

[Randy Webb]

Thomas 'PointedEars' Lahn said the following on 11/3/2005 4:21 AM:

David Dorward wrote:




Which of course would be potentially dangerous since an attacker
could then probably execute arbitrary code server-side:

http://foo.bar/baz.asp?delete_all_files()

Only if you are stupid enough to allow it.

 

[VK]

Hi,

I'm just learning how to use the XmlHttpRequest object. Very cool.
However, I'm wondering how I can call a specific server-side method.
For example, say I have a method defined as follows on an ASP.NET
code-behind file

public string GetServerTime()
{
return DateTime.Now.ToShortTimeShort();
}

Would I have to change the request method to POST? Could someone post
an example please? Or can I simply not call a method, and have to call
the method from the Page_Load event?

You can use WebService behavior:
<http://msdn.microsoft.com/library/default.asp?url=/workshop/author/webservice/overview.asp>

 

[David Dorward]

Which of course would be potentially dangerous since an attacker
could then probably execute arbitrary code server-side:

http://foo.bar/baz.asp?delete_all_files()

Easily avoided... Just don't include the code:

if ($action eq "delete_all_files") {
system('rm -rf /');
}

 

[Thomas 'PointedEars' Lahn]

Easily avoided... Just don't include the code:

if ($action eq "delete_all_files") {
system('rm -rf /');
}

Which proves my point. GET is dangerous here. POST ist less dangerous.
Even less dangerous would be something like a confirmation document or
server-side sessions or ...


PointedEars