By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
434,587 Members | 1,020 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 434,587 IT Pros & Developers. It's quick & easy.

Detecting a form's POST

P: n/a
MDW
Say I've got a page - myPage.asp - that expects to see the
results of a form's POST operation. If it comes from the
form, all is fine.

However, if someone were to manually type the address in
the address bar - http://www.mysite.com/myPage.asp - I'd
like to be able to detect that they're trying to
circumvent the form and redirect them to the appropriate
page using Response.Redirect().

What's the best way to tell whether a page is coming as
the result of a POST operation?
Jul 19 '05 #1
Share this Question
Share on Google+
9 Replies


P: n/a
Request.ServerVariables("REQUEST_METHOD") will tell you if it was posted or
getted (?). But, I can make C:\PathOnMyComputer\page.htm with:

<form method="post" action="http://www.yoursite.com/yourpage.asp"> and post
to it.

Ray at work

"MDW" <mw********@go.com> wrote in message
news:77****************************@phx.gbl...
Say I've got a page - myPage.asp - that expects to see the
results of a form's POST operation. If it comes from the
form, all is fine.

However, if someone were to manually type the address in
the address bar - http://www.mysite.com/myPage.asp - I'd
like to be able to detect that they're trying to
circumvent the form and redirect them to the appropriate
page using Response.Redirect().

What's the best way to tell whether a page is coming as
the result of a POST operation?

Jul 19 '05 #2

P: n/a
MDW
Hmmmm....

What about something like this:

strID = Request.Form
("ImportantValueWithoutWhichPageWouldntWork")

If strID = "" Then

Response.Redirect("useTheFormYouDope.asp")

End If
-----Original Message-----
Request.ServerVariables("REQUEST_METHOD") will tell you if it was posted orgetted (?). But, I can make C:\PathOnMyComputer\page.htm with:
<form method="post" action="http://www.yoursite.com/yourpage.asp"> and postto it.

Ray at work

"MDW" <mw********@go.com> wrote in message
news:77****************************@phx.gbl...
Say I've got a page - myPage.asp - that expects to see the results of a form's POST operation. If it comes from the
form, all is fine.

However, if someone were to manually type the address in
the address bar - http://www.mysite.com/myPage.asp - I'd
like to be able to detect that they're trying to
circumvent the form and redirect them to the appropriate
page using Response.Redirect().

What's the best way to tell whether a page is coming as
the result of a POST operation?

.

Jul 19 '05 #3

P: n/a
> What's the best way to tell whether a page is coming as
the result of a POST operation?


What about setting a session variable on the page where the form is and
checking if that session variable is valid on the next page. If it's not,
then you can redirect them back to the form.
Jul 19 '05 #4

P: n/a
That would work, but, I could put <input
value="ImportantValueWithoutWhichPageWouldntWork"> in my form as well. Have
you seen those "validation ticket" things on websites where you have to
enter a string of characters into a textbox on the form from reading an
image that contains the string of characters? IE, go to www.godaddy.com,
look up a domain that is taken, and then do a whois. You have to enter a
ticket number. I think you'd have to do something like that to be 100% sure
that the person is submitting from your form.

You could also use cookies or sessions to be 99% sure.

Also, you could write a cookie on the page with your form that is a random
string and another one with an ID and also store that value in a DB,
temporarily. Then, when the form is sumitted, you could look up the cookie
ID in the database and see if the random string matches from the DB and the
other cookie that the client sent.

Ray at work

"MDW" <mw********@go.com> wrote in message
news:0a****************************@phx.gbl...
Hmmmm....

What about something like this:

strID = Request.Form
("ImportantValueWithoutWhichPageWouldntWork")

If strID = "" Then

Response.Redirect("useTheFormYouDope.asp")

End If
-----Original Message-----
Request.ServerVariables("REQUEST_METHOD") will tell you

if it was posted or
getted (?). But, I can make C:\PathOnMyComputer\page.htm

with:

<form method="post"

action="http://www.yoursite.com/yourpage.asp"> and post
to it.

Ray at work

"MDW" <mw********@go.com> wrote in message
news:77****************************@phx.gbl...
Say I've got a page - myPage.asp - that expects to see the results of a form's POST operation. If it comes from the
form, all is fine.

However, if someone were to manually type the address in
the address bar - http://www.mysite.com/myPage.asp - I'd
like to be able to detect that they're trying to
circumvent the form and redirect them to the appropriate
page using Response.Redirect().

What's the best way to tell whether a page is coming as
the result of a POST operation?

.

Jul 19 '05 #5

P: n/a
MDW
Yeah, I could do that. But in all honesty.... *L* If
someone is trying to fool my site like that, they must be
REALLY bored.

Thx for the ideas. I'll play around, probably do some
combination of them. Just trying to idiot-proof my site.

-----Original Message-----
That would work, but, I could put <input
value="ImportantValueWithoutWhichPageWouldntWork" > in my form as well. Haveyou seen those "validation ticket" things on websites where you have toenter a string of characters into a textbox on the form from reading animage that contains the string of characters? IE, go to www.godaddy.com,look up a domain that is taken, and then do a whois. You have to enter aticket number. I think you'd have to do something like that to be 100% surethat the person is submitting from your form.

You could also use cookies or sessions to be 99% sure.

Also, you could write a cookie on the page with your form that is a randomstring and another one with an ID and also store that value in a DB,temporarily. Then, when the form is sumitted, you could look up the cookieID in the database and see if the random string matches from the DB and theother cookie that the client sent.

Ray at work

"MDW" <mw********@go.com> wrote in message
news:0a****************************@phx.gbl...
Hmmmm....

What about something like this:

strID = Request.Form
("ImportantValueWithoutWhichPageWouldntWork")

If strID = "" Then

Response.Redirect("useTheFormYouDope.asp")

End If
>-----Original Message-----
>Request.ServerVariables("REQUEST_METHOD") will tell you

if it was posted or
>getted (?). But, I can make C:\PathOnMyComputer\page.htm
with:
>
><form method="post"

action="http://www.yoursite.com/yourpage.asp"> and post
>to it.
>
>Ray at work
>
>"MDW" <mw********@go.com> wrote in message
>news:77****************************@phx.gbl...
>> Say I've got a page - myPage.asp - that expects to
see the
>> results of a form's POST operation. If it comes from

the >> form, all is fine.
>>
>> However, if someone were to manually type the address in >> the address bar - http://www.mysite.com/myPage.asp - I'd >> like to be able to detect that they're trying to
>> circumvent the form and redirect them to the appropriate >> page using Response.Redirect().
>>
>> What's the best way to tell whether a page is coming as >> the result of a POST operation?
>
>
>.
>

.

Jul 19 '05 #6

P: n/a
Yeah, I mean, if you think about it, what harm can be done? They still can
only submit what your site will accept. Just control field lengths and
things on the server instead of relying on things like "maxlength" in the
inputs, and everything should be okay.

Ray at work

"MDW" <mw********@go.com> wrote in message
news:01****************************@phx.gbl...
Yeah, I could do that. But in all honesty.... *L* If
someone is trying to fool my site like that, they must be
REALLY bored.

Thx for the ideas. I'll play around, probably do some
combination of them. Just trying to idiot-proof my site.

-----Original Message-----
That would work, but, I could put <input
value="ImportantValueWithoutWhichPageWouldntWork" > in my

form as well. Have
you seen those "validation ticket" things on websites

where you have to
enter a string of characters into a textbox on the form

from reading an
image that contains the string of characters? IE, go to

www.godaddy.com,
look up a domain that is taken, and then do a whois. You

have to enter a
ticket number. I think you'd have to do something like

that to be 100% sure
that the person is submitting from your form.

You could also use cookies or sessions to be 99% sure.

Also, you could write a cookie on the page with your form

that is a random
string and another one with an ID and also store that

value in a DB,
temporarily. Then, when the form is sumitted, you could

look up the cookie
ID in the database and see if the random string matches

from the DB and the
other cookie that the client sent.

Ray at work

"MDW" <mw********@go.com> wrote in message
news:0a****************************@phx.gbl...
Hmmmm....

What about something like this:

strID = Request.Form
("ImportantValueWithoutWhichPageWouldntWork")

If strID = "" Then

Response.Redirect("useTheFormYouDope.asp")

End If

>-----Original Message-----
>Request.ServerVariables("REQUEST_METHOD") will tell you
if it was posted or
>getted (?). But, I can make C:\PathOnMyComputer\page.htm with:
>
><form method="post"
action="http://www.yoursite.com/yourpage.asp"> and post
>to it.
>
>Ray at work
>
>"MDW" <mw********@go.com> wrote in message
>news:77****************************@phx.gbl...
>> Say I've got a page - myPage.asp - that expects to see the
>> results of a form's POST operation. If it comes from the >> form, all is fine.
>>
>> However, if someone were to manually type the address in >> the address bar - http://www.mysite.com/myPage.asp - I'd >> like to be able to detect that they're trying to
>> circumvent the form and redirect them to the appropriate >> page using Response.Redirect().
>>
>> What's the best way to tell whether a page is coming as >> the result of a POST operation?
>
>
>.
>

.

Jul 19 '05 #7

P: n/a
MDW wrote on 07 jul 2003 in microsoft.public.inetserver.asp.general:
Hmmmm....

What about something like this:

strID = Request.Form
("ImportantValueWithoutWhichPageWouldntWork")

If strID = "" Then

Response.Redirect("useTheFormYouDope.asp")

End If


I would add a test of Request.ServerVariables("HTTP_REFERER") [yes, I know
this sometimes fails] to acertain that the posting page was mine.

--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)
Jul 19 '05 #8

P: n/a
"Randy R" wrote:

What's the best way to tell whether a page is coming as
the result of a POST operation?


What about setting a session variable on the page where the
form is and checking if that session variable is valid on
the next page. If it's not, then you can redirect them back
to the form.


This only tests whether there is a valid session, not whether the form
submission originated from one of his pages. Certainly a user could have a
valid session, yet still submit a request from a self-created form.

The short answer to the original question is that there is little you can
ever safely assume about the content of the request. Your application design
should reflect this.

Evaluate the request in its entirety, always assuming the user constructed
the request himself. Most of the things you can do take little more than
common sense: Ask yourself which items could be spoofed and with what
likelihood (session cookies are more difficult to guess/spoof than form
name-value pairs, for example). Make sure REMOTE_HOST hasn't changed since
the session was generated. Use SSL where security is *really* needed.
--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms. Please do not contact
me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.
Jul 19 '05 #9

P: n/a

"MDW" <mw********@go.com> wrote in message
news:01****************************@phx.gbl...
Yeah, I could do that. But in all honesty.... *L* If
someone is trying to fool my site like that, they must be
REALLY bored.

why dont you use rays idea
Request.ServerVariables("REQUEST_METHOD")

With
Request.ServerVariables("HTTP_REFERER")
as well

that will tell you the method used and what page it came from


Thx for the ideas. I'll play around, probably do some
combination of them. Just trying to idiot-proof my site.

-----Original Message-----
That would work, but, I could put <input
value="ImportantValueWithoutWhichPageWouldntWork" > in my

form as well. Have
you seen those "validation ticket" things on websites

where you have to
enter a string of characters into a textbox on the form

from reading an
image that contains the string of characters? IE, go to

www.godaddy.com,
look up a domain that is taken, and then do a whois. You

have to enter a
ticket number. I think you'd have to do something like

that to be 100% sure
that the person is submitting from your form.

You could also use cookies or sessions to be 99% sure.

Also, you could write a cookie on the page with your form

that is a random
string and another one with an ID and also store that

value in a DB,
temporarily. Then, when the form is sumitted, you could

look up the cookie
ID in the database and see if the random string matches

from the DB and the
other cookie that the client sent.

Ray at work

"MDW" <mw********@go.com> wrote in message
news:0a****************************@phx.gbl...
Hmmmm....

What about something like this:

strID = Request.Form
("ImportantValueWithoutWhichPageWouldntWork")

If strID = "" Then

Response.Redirect("useTheFormYouDope.asp")

End If

>-----Original Message-----
>Request.ServerVariables("REQUEST_METHOD") will tell you
if it was posted or
>getted (?). But, I can make C:\PathOnMyComputer\page.htm with:
>
><form method="post"
action="http://www.yoursite.com/yourpage.asp"> and post
>to it.
>
>Ray at work
>
>"MDW" <mw********@go.com> wrote in message
>news:77****************************@phx.gbl...
>> Say I've got a page - myPage.asp - that expects to see the
>> results of a form's POST operation. If it comes from the >> form, all is fine.
>>
>> However, if someone were to manually type the address in >> the address bar - http://www.mysite.com/myPage.asp - I'd >> like to be able to detect that they're trying to
>> circumvent the form and redirect them to the appropriate >> page using Response.Redirect().
>>
>> What's the best way to tell whether a page is coming as >> the result of a POST operation?
>
>
>.
>

.

Jul 19 '05 #10

This discussion thread is closed

Replies have been disabled for this discussion.