One of our most common error situations in a web application is that a user executes a GET request where the form should have submitted a POST.
I realize that the most likely case is that they got to the page (by way of a POST) and then clicked in the address bar and hit enter.
The question is, are there other less obvious ways that this could happen (print previews/back button, etc)?
We have never been able to consistently repeat the problems. The problems for different users and different pages nor do they happen very often (maybe once a week).
EDIT:
There is no data submitted with the GET request and therefore the processing page crashes out.
I was having a similar issue, although it doesn't sound like this was exactly yours. I had a form that was being submitted via ajax and shouldn't ever use the default submit. Now and then I was receiving errors from a GET done on the form. It shouldn't be possible to submit this form; however, certain versions of Safari for Mac were submitting it on enter. I just added a jquery form.submit() catch on it to prevent the default functionality. I also set the action to a page that wouldn't result in error (in case of lack of javascript).
As you said your problem is intermittent, so having a problem in form method set as get instead of post can be overruled but yes you are right, that if user presses enter in address bar it would be a get request and back button request always depends upon the last request made, if it was a post then any good browser will prompt you about resubmission and if it was get then no prompt, page will be bought back(may be from cache).
May be you can use Firebug (track requests in .net tab)or Fiddler and do some tests with different users/pages if you can reproduce it, its simply pressing enter in address bar.
Edit:
And also get is always supposed to 'retrieve information' so if browser is missing something or need something it will be a get but again check in IIS log for those get requests and try them in browser,if they contains query string for viewstate and eventvalidation, then they are really mis-formed request from post to get, if form method is not explicitly set to get.
I believe that an answer to the question "what are reasons for a browser executing GET rather than POST" does not help to solve the problem of receiving a GET on a form where you expect the a GET. But: To answer that question I would simply say that you receive an GET because the browser sends an GET and you can send a GET on any page where you can send a POST. On the other hand, if the user uses the form the browser sends a POST. Thus your server has to be prepared to handle the GET and it should handle the GET in the same manner as a POST with invalid parameters. My suggestion:
If you receive a GET, display the form again.
If you receive a POST with invalid data, display the form again and notify the user that he has to enter the data in a specific way.
Maybe a trivial answer, but that's what I would do. Don't know if it adds to the discussion.
Wrong, the most obvious reason why you get a GET instead of a POST is that because you're doing a GET instead of a POST.
A less obvious reason is you forgot to specify method="post" in one of your forms. The HTML standard specifies that the default method is GET, so if you want to POST, you must specify method="post" explicitly.
Scrutinize all of your tags and make sure all of them explicitly specify method="post".
EDIT: When you click on the address bar and pressed enter, yes it's true that the browser will GET a page, but your form wouldn't be submitted that way since the browser treats the URL similar to how a copy-pasted URL would be: a new session without any additional information sent to the server (except cookies).
Related
currently I'm doing some scraping, and tryin (and failing) to get passed a recaptcha on a specific website( https://iowa.igovsolution.com/iboponline/Lookups/Lookup_Individual.aspx ). I'm using Seleneium Chromium to move through the website, and DeathByCaptcha to get the answer code, which I then insert code into the g-recaptcha-response. Though after filling in the rest of the form and pressing enter, it doesn't registered that the recaptcha was 'finished.'
What I've noticed about this sight--which is different then the others I've dealt with. is that this site makes two separate post request, a 'verify captcha' post request where it sends the recaptcha answer code, and the post request with the general data, rather then a single post request with the general data, and the information I fill out into the form. I was wondering what I needed to do(or if it's not possible to do with Selenium).
I have done some research, but I can't find very much that is about my issue.
The code I use to insert the answer code into the g-recaptcha-response is this(and I know it works at inserting it since I've checked to make sure it actually puts it in there and it does. I've also used this method of getting passed recaptchas on other sites):
driver.execute_script('document.getElementById("g-recaptcha-response").innerHTML = "' + str(key) + '"')
I want to create a new tab and send data to it in a POST request from my chrome extension. I could use a GET request, but the data I am going to send could be arbitrarily long, and I want to JSON encode it(which also means I cannot use forms). I've only found two questions on SO about this, but both of them are talking about using a form, which is not desirable.
The reason I want to do this is because I want to request further input from the user before I do what I do with the data. I am totally lost here and have no idea how to do this, hence I can not add any code samples I've tried.
If I cannot do this with a URL, I could inject a script into the page and have a popup, but that is something of a last resort.
Any ideas on how this could be done?
Is it possible to pass command line arguments using HTTP under Node.js? This seems like a simple thing to do but I can not seem to find out how or if it is even possible. I am struggling a little with the async nature of node so may be missing something fundamental here!
Thanks,
Will
You have a few choices of how to pass state info from one script to another. One of the simplest and most portable has been around since the beginning - when you get the user data posted from page1, send it along in hidden form elements of page2. Then a post of page2 will have the user input on the new form elements and automatically include the hidden form element values as well. Of course you can use the data in the page1 post to otherwise determine what goes on page2. And so on to page3, etc.
The other common choice is cookies. You leave a cookie on the user's browser when they view page1 and then query the browser for it in your code for page2. This is totally portable in modern browsers, but the user can turn off cookies and then it won't work.
Another option is session variables in your node.js scripts. These are pretty easy to work with, but some servers use cookies behind the scenes and they could be off. You might want to read up on that one.
None of those 3 require use of JavaScript on the browser which is required for the Ajax option. In this single page mode you can keep all the state info you want in the JavaScript code because the page never gets reloaded. That gets a little tougher for a beginner and there's also the possibility that Javascript is off. If you are developing a rich, interactive app, you can expect your users to have JS enabled. But for a website with a few pages to sequence to casual visitors it may not always be on.
So, I'd suggest you try the hidden form elements to get started. Something like:
<input type="hidden" name="whatever" value="data-from-page1-post" />
If you put that onto a form in page2, it will come back in the post.
Have fun...
If I have an html form commented out using <!-- form -->
Which has some input fields that are not sanitized, can someone use those to do bad queries to the db? For example with firebug, can someone remove <!-- and use those input fields to do something nasty?
Depending on the script handling the form, a person can certainly create a local copy of that form without the comments. Indeed, if they know what the input names and semantics are, they can create their own form altogether. There's no good way of detecting whether or not a form submission is from your form or something else masquerading as it.
All the info you send to the user can be modified by him, so if you don't want him to see that info, don't comment it out, just remove it or comment out with php.
And if your database is able to receive 'bad' queries is that something is wrong coded, because an user can post his own data even if you don't send him any form to do so. You have to add server sided security (Authentication, checking user rights, sql injection...) even if your HTML don't allows it, because server side code can't be modified by user.
Not sure, but I'd check it this way: edit the HTML from the browser's element inspector and uncomment it. If then you can use it, you can be hacked.
What is the simplest way to make a confirmation dialog in Yesod? In some cases, when a form is posted, I want to ask for confirmation before carrying out the action. I imagine this working by sending the user a separate confirmation page, and then processing the posted data if the 'Yes' button is pressed.
I think this should be possible, using functions like setUltDestReferer. The question is, what is the easiest/most typical way to do it in Yesod? Ideally it should boil down to a single function call in the handler, like requireAuth does.
If I understood this right, you want something that will
Render some confirmation page and abort further processing of the request.
Have the "Yes" button link back to this handler and set a flag.
If the flag is set, do nothing and continue with the request instead.
This immediately raises the question of how the original form data should be carried along. There are ways of solving this, e.g. by storing it in the session or by including it URL encoded in the "Yes" link.
The latter approach works, but can be a bit messy. The former can cause problems when users hit the back button, open links in new tabs and so on. This comes from the stateless design of HTTP.
Instead, it might be cleaner to create a new AJAX handler and add some JavaScript that
Calls the handler to check if confirmation is needed.
Shows the confirmation if that was the case.
If the user clicked "Yes", proceeds with submitting the form as you normally would.
I recommend you go with #hammar's approach, I think it's the best. If for some reason AJAX isn't an option, you can consider putting a hidden form on the confirmation page containing the form data submitted from the first page. This should be fairly trivial using runRequestBody.