Accessing posted form objects via JavaScript

Note. I need to use METHOD="POST". The idea is that I'll hit
myASP.asp using SSL and f1 and f2 will store a userid/pw. If I use
METHOD="GET" the userid/pw will be appended to the URL and sent via
clear text.

Observation: There is different if I used id or name in form e.g.
<input type="button" name="f1" />
In order to connerct btw asp file and html.

Choxio wrote:

Note. I need to use METHOD="POST". The idea is that I'll hit
myASP.asp using SSL and f1 and f2 will store a userid/pw. If I use
METHOD="GET" the userid/pw will be appended to the URL and sent via
clear text.

If you use post they are still sent via clear text, just not in the URL. Use
HTTP with SSL (HTTPS) if you want to encrypt the data.

--
David Dorward <http://blog.dorward.me.uk/> <http://dorward.me.uk/>
Home is where the ~/.bashrc is

"Choxio" <ch****@yahoo.com> wrote:

Using ASP you can access posted form elements. Is it possible to
access them from JavaScript?
You can write ASP code in VBScript or Javascript _ or other languages<
if you install the proper support. ASP is a platform, not a language.

JavaScript is usually used for client-side scripting. You can't access
the posted form elements there because they haven't been posted yet.
You can examine the elements of the form and retrieve or set the
values stored in them.
myHTML.htm
<form action=myASP.asp>
<input type=hidden id=f1 value=val1>
<input type=hidden id=f2 value=val2>
<input type=submit value="Choose Me">
</form> myASP.ASP
response.write(request("f1"))

This statement would execute on the server, before the page is sent to
the client computer. As I said earlier, you can use either VBScript or
Javascript to write this stuff.

--
Tim Slattery
Sl********@bls.gov

I was trying to explain that the METHOD="GET" which would allow
JavaScript to parse the URL would not work for me as I wanted to pass
userid/pw as form variables (not part of URL). I intend to use SSL to
encrypt the form variables as you suggest.

I would like to create a client-side JavaScript function within
MyHTML1.htm that could access user and pw (posted in MyHTML0.htm)

MyHTML0.htm
{
<form action=https://myHTML.htm" method="post">
<input type=hidden id="user" value="john">
<input type=hidden id="pw" value="cool">
</form>
}

MyHTML1.htm
{
<script>
Alert("user is " + client_side_forms_object["user"] + " pw is
" + client_side_forms_object["pw"])
</script>
}

This is pseudo-code. I'm sure client_side_forms_object is not a
valid client-side JavaScript object. Does a client-side (browser)
JavaScript object allowing access to posted form elements exist?

Choxio wrote:

I would like to create a client-side JavaScript function within
MyHTML1.htm that could access user and pw (posted in MyHTML0.htm)

MyHTML0.htm
{
<form action=https://myHTML.htm" method="post">
<input type=hidden id="user" value="john">
<input type=hidden id="pw" value="cool">
</form>
}

MyHTML1.htm
{
<script>
Alert("user is " + client_side_forms_object["user"] + " pw is
" + client_side_forms_object["pw"])
</script>
}

This is pseudo-code. I'm sure client_side_forms_object is not a
valid client-side JavaScript object. Does a client-side (browser)
JavaScript object allowing access to posted form elements exist?

You keep emphasizing 'posted' - form data is posted to a server, where
it is presumably processed in some way. Read the FAQ (as you should
have previously) for information on how to read the contents of form
controls *before* posting, at the client.

http://www.jibbering.com/faq/#FAQ4_13

I did read the FAQ. If you use method="GET" the form elements are
appended to the URL. I don't want the userid/pw transmitted in clear
text as part of the URL. I will be using HTTPS so the form data will
be encrypted.

Reading the form elements before the post or get does me no good as I
need the URL specified in the ACTION of the FORM to use the form
elements. A page on website A calls a page on website B. Website B
needs the user id/pw from website A to log into the system.

Choxio wrote:

I was trying to explain that the METHOD="GET" which would allow
JavaScript to parse the URL would not work for me as I wanted to pass
userid/pw as form variables (not part of URL)

.... but the *reason* you gave for that is you didn't want them sent in clear
text - which is bogus. If its SSL then they aren't sent as clear text. If
its not SSL then they are. It doesn't matter if its POST or GET.

--
David Dorward <http://blog.dorward.me.uk/> <http://dorward.me.uk/>
Home is where the ~/.bashrc is

David Dorward schrieb:

Choxio wrote:

I was trying to explain that the METHOD="GET" which would allow
JavaScript to parse the URL would not work for me as I wanted to
pass userid/pw as form variables (not part of URL)

... but the *reason* you gave for that is you didn't want them sent
in clear text - which is bogus. If its SSL then they aren't sent as
clear text. If its not SSL then they are. It doesn't matter if its
POST or GET.

Yes and no. I think what the OP meant is that GET is certainly greater
a security risk than POST, since URIs are stored in the browser history
and POST requests usually require confirmation before sent again.
Without SSL, it *is* still sent a clear text, however not that easy to
notice.
PointedEars

"Choxio" schrieb:

I did read the FAQ.
I doubt that.
If you use method="GET" the form elements are appended to the URL.
Actually, pairs or names and values of HTML elements, namely not
disabled form controls, delimited with an ampersand character, are
appended to the URI, not the HTML elements.
I don't want the userid/pw transmitted in clear text as part of the
URL. I will be using HTTPS so the form data will be encrypted.
ACK
Reading the form elements before the post or get does me no good as I
need the URL specified in the ACTION of the FORM to use the form
elements.

A page on website A calls a page on website B. Website B
needs the user id/pw from website A to log into the system.

So Web site B, more precisely _resource_ B, has to process the data
submitted by Web site A, i.e. resource A. It does not matter what
platform or language is used for that as long as the underlying
application is a CGI application (which ASP scripted with *server-side*
JScript certainly is).

So your question was:

| Is it possible to access them from JavaScript?

The correct answer already given several times is "yes". That includes
all ECMAScript implementations where there is a language binding
provided by the CGI application, including Microsoft JScript to be used
with ASP (on IIS).

But if your question would have been "Is it possible to access them with
client-side JavaScript?", the correct answer would have been "no". See?
PointedEars

DeltaX wrote:

Observation: There is different if I used id or name in form e.g.
<input type="button" name="f1" />
In order to connerct btw asp file and html.

Yes, `id' attribute values are not submitted, `name' attribute values are.
This is why the `name' attribute is not deprecated in HTML 4.01 or XHTML
1.0 for form controls and those elements have a `name' attribute in XHTML
1.1 although other elements have not.
PointedEars
--
There are two possibilities: Either we are alone in the
universe or we are not. Both are equally terrifying.
-- Arthur C. Clarke

The GET appends form data to the URL. SSL does not encrypt the URL.
If the URL was encrypted how could the routers get your request to the
required server?

I have done quite a bit of googling trying to track down a way to
"...access them with client-side JavaScript?" I have not found a way
of doing this so perhaps you're correct.

BTW, why do you doubt I read the FAQ? The FAQ does not address this
issue. Perhaps you should review
http://www.jibbering.com/faq/#*FAQ4_13 or even better post an URL of a
FAQ discussing this problem.

And "ACK" - please elaborate.

I refined my question on May 18th (a day after my original post) to:
"Does a client-side (browser) JavaScript object allowing access to
posted form elements exist?" Instead of wasting your time attacking
previous posts perhaps you should spend a bit more time reading the
thread and address the question at hand. Based upon other's posts I
realized I was asking the wrong question and refined my post.

Choxio wrote:

The GET appends form data to the URL. SSL does not encrypt the URL.
If the URL was encrypted how could the routers get your request to the
required server?

Routing does not occur based on the URL. The _browser_ extracts the
hostname/domainname from the URL, then does a DNS lookup to obtain the
IP of that host.

Routing then occurs based on the IP address -- not even the host name.

In-between, packet sniffers wouldn't even be able to tell what hostname
you were after, only the IP address of it.

Choxio wrote:

I have done quite a bit of googling trying to track down a way to
"...access them with client-side JavaScript?" I have not found a way
of doing this so perhaps you're correct.

BTW, why do you doubt I read the FAQ?
Because it's obvious from your posting stlye that you have not read it,
in its entirety.
The FAQ does not address this issue.
Probably not. It *does* address the issue of posting/quoting to this
group though.
Perhaps you should review http://www.jibbering.com/faq/#*FAQ4_13 or
even better post an URL of a FAQ discussing this problem.

Before you make it that far into the FAQ, you would have made it to
section 2.3, paragraph 1:
<quote>
Before posting to clj, you should thoroughly read this document
</quote>

And then paragraph 6:
<quote>
When replying to a message on the group trim quotes of the preceding
messages to the minimum needed and add your comments below the pertinent
section of quoted material, as per FYI28/RFC1855 (never top post).
</quote>

Note the part about quoting what you are replying to.
<snip>

--
Randy
comp.lang.javascript FAQ - http://jibbering.com/faq & newsgroup weekly

Choxio wrote:

BTW, why do you doubt I read the FAQ?
Because your posting behavior tells so.
The FAQ does not address this issue.
It includes a description of accepted ways to post to a newsgroup,
particularly this one.
Perhaps you should review http://www.jibbering.com/faq/#*FAQ4_13
Are you kidding? *I* should review the FAQ regarding *your* problems?
You must think that this is a support forum or something like that,
and that I am your support agent.
[...]
And "ACK" - please elaborate.
<http://www.restlessmind.com/jargon/?entry=ACK>
I refined my question on May 18th (a day after my original post) to:
"Does a client-side (browser) JavaScript object allowing access to
posted form elements exist?" Instead of wasting your time attacking
previous posts perhaps you should spend a bit more time reading the
thread and address the question at hand. Based upon other's posts I
realized I was asking the wrong question and refined my post.

You better cool down quickly. You posted a new question in an old
thread as a side note on the bottom of a posting. It was likely that
it got overlooked.

However, yes, a client-side JavaScript object for that exists,
but I don't think it is available outside of an XUL environment.
Look into <http://livehttpheaders.mozdev.org/>.
PointedEars

"Random" <ra*******@gmail.com> wrote in message
news:11**********************@f14g2000cwb.googlegr oups.com...

Choxio wrote:

The GET appends form data to the URL. SSL does not encrypt the URL.
If the URL was encrypted how could the routers get your request to
the
required server?

Routing does not occur based on the URL. The _browser_ extracts the
hostname/domainname from the URL, then does a DNS lookup to obtain the
IP of that host.

Routing then occurs based on the IP address -- not even the host name.

In-between, packet sniffers wouldn't even be able to tell what
hostname
you were after, only the IP address of it.

As described above, of course the URL is encrypted using SSL. And think
about it, what would be the point of SSL if it didn't encrypt _all_
traffic between server and client, including the client's GET requests?

--
Grant Wagner <gw*****@agricoreunited.com>
comp.lang.javascript FAQ - http://jibbering.com/faq