Need expert help with advanced form Submit question

[SaraLe...@gmail.com]

Hello, could someone please kindly show me how to do this? I am
running some experiments with this and hope to see if it can work
again.

Basically, I need a simple form page that will submit its results to
the same page. I've seen this done before, but cannot recreate the
results.

Something like,

<form method=post action="">
<INPUT type="submit" name="button">
<input type="hidden" name="test_Data" value="100">
</form>

So basically I want to prove hitting the form submit button sends me
to the same page it is on, and passes some result back to it, and I
can take it from there. Can this be done? :)

Thank you in advance for help. Sara

[John]

<SaraLe...@gmail.com> wrote in message
news:1192770073....@e34g2000pro.googlegroups.com...

I cannot see how this can be done in HTML. It is straightforward in Perl.
Indeed, Perl Web programmers do it all the time.

action='/example.com/cgi-bin/test.pl'
use CGI;
my $testdata=param('test_Data');
[ work on variable $testdata ]

Have you seen something like this?

Regards
John

[nice.guy.nige]

While the city slept, SaraLe...@gmail.com (SaraLe...@gmail.com)
feverishly typed...

[...]

> <form method=post action="">
> <INPUT type="submit" name="button">
> <input type="hidden" name="test_Data" value="100">
> </form>
>
> So basically I want to prove hitting the form submit button sends me
> to the same page it is on, and passes some result back to it, and I
> can take it from there. Can this be done? :)

Assuming you have PHP on your server, try something like the following;

<form method="post" action="<? echo $_SERVER["PHP_SELF"]; ?>">
(rest of form...)
</form>

and anywhere else on your page...

<?php
if(isset($_POST["test_Data"])) {
print("<p>test_Data = ".$_POST["test_Data"]."</p>\n");
}
?>

Hope that helps.

Cheers,
Nige

--
Nigel Moss http://www.nigenet.org.uk
Mail address will bounce. ni...@DOG.nigenet.org.uk | Take the DOG. out!
"Your mother ate my dog!", "Not all of him!"

[cf]

let it be known on Fri, 19 Oct 2007 05:01:13 -0000
SaraLe...@gmail.com scribed:

My contact form here
<http://www.cnswallpaper.com/contact.asp>
does everything on the contact.asp, including the error page and sending the message to me (JMail on the server).

It's done in plan old .asp so a lot will depend what you have available on your server. I just capture the status=submit to have the page display the conformation.

hth
--
cf <cfn...@NOcharterSPAM.net>
I may be dumb, but I'm not stupid.
Terry Bradshaw

[Neredbojias]

Well bust mah britches and call me cheeky, on Fri, 19 Oct 2007 05:01:13 GMT
scribed:

Of course it can be doen - simply by setting the action parameter to the
url of the source page.

What you do with the data, however, will depend upon the scripting type you
opt to utilize. And you will need some scripting. My recommendation is to
look into php.

--
Neredbojias

[Bergamot]

SaraLe...@gmail.com wrote:
>
> So basically I want to prove hitting the form submit button sends me
> to the same page it is on, and passes some result back to it, and I
> can take it from there. Can this be done?

Not in HTML, but any server-side language will do it.

--
Berg

[Jonathan N. Little]

nice.guy.nige wrote:
> While the city slept, SaraLe...@gmail.com (SaraLe...@gmail.com)
> feverishly typed...
>
> [...]
>> <form method=post action="">
>> <INPUT type="submit" name="button">
>> <input type="hidden" name="test_Data" value="100">
>> </form>
>>
>> So basically I want to prove hitting the form submit button sends me
>> to the same page it is on, and passes some result back to it, and I
>> can take it from there. Can this be done? :)
>
> Assuming you have PHP on your server, try something like the following;
>
> <form method="post" action="<? echo $_SERVER["PHP_SELF"]; ?>">
> (rest of form...)
> </form>

I feel compelled to warn you all that you should *not* do the above
example. There is an XSS flaw in it. A safe example to demonstrate the
risk is to pass this to the example script:

http://example.com/risky.php/%22%3E%3Cscript%3Ealert('xss, time to be
worried')%3C/script%3E%3Cfoo

You will get a harmless alert box, but there are a lot more nefarious
things that can be done. There is an easy fix though, don't use the raw
URL parsed by $_SERVER["PHP_SELF"].

sanitized=htmlentities($_SERVER['PHP_SELF']); // prevent XSS insertion

Then use:

<form method="post" action="<?php echo $sanitized; ?>">

--
Take care,

Jonathan
-------------------
LITTLE WORKS STUDIO
http://www.LittleWorksStudio.com

[BootNic]

"Jonathan N. Little" <lws...@centralva.net> wrote:
news:46b3f$4718be9b$40cba7cb$16...@NAXS.COM:

>> <form method="post" action="<? echo $_SERVER["PHP_SELF"]; ?>">
>> (rest of form...)
>> </form>
>
> I feel compelled to warn you all that you should *not* do the above
> example. There is an XSS flaw in it. A safe example to demonstrate the
> risk is to pass this to the example script:
>
> http://example.com/risky.php/%22%3E%3Cscript%3Ealert('xss, time to be
> worried')%3C/script%3E%3Cfoo
>
> You will get a harmless alert box, but there are a lot more nefarious
> things that can be done. There is an easy fix though, don't use the
> raw URL parsed by $_SERVER["PHP_SELF"].
>
> sanitized=htmlentities($_SERVER['PHP_SELF']); // prevent XSS insertion
>
> Then use:
>
> <form method="post" action="<?php echo $sanitized; ?>">

$_SERVER["SCRIPT_NAME"] may be an alternative.

--
BootNic Friday October 19, 2007 2:29 PM
The world is very different now. For man holds in his mortal hands
the power to abolish all forms of human poverty, and all forms of
human life.
*John Fitzgerald Kennedy, Inaugural Address*

[Jonathan N. Little]

BootNic wrote:
> "Jonathan N. Little" <lws...@centralva.net> wrote:
> news:46b3f$4718be9b$40cba7cb$16...@NAXS.COM:
>
>>> <form method="post" action="<? echo $_SERVER["PHP_SELF"]; ?>">
>>> (rest of form...)
>>> </form>
>> I feel compelled to warn you all that you should *not* do the above
>> example. There is an XSS flaw in it. A safe example to demonstrate the
>> risk is to pass this to the example script:
>>
>> http://example.com/risky.php/%22%3E%3Cscript%3Ealert('xss, time to be
>> worried')%3C/script%3E%3Cfoo
>>
>> You will get a harmless alert box, but there are a lot more nefarious
>> things that can be done. There is an easy fix though, don't use the
>> raw URL parsed by $_SERVER["PHP_SELF"].
>>
>> sanitized=htmlentities($_SERVER['PHP_SELF']); // prevent XSS insertion
>>
>> Then use:
>>
>> <form method="post" action="<?php echo $sanitized; ?>">
>
> $_SERVER["SCRIPT_NAME"] may be an alternative.
>

Yes, but you would lose and legitimate query string parameters if this
was a GET process.

[BootNic]

"Jonathan N. Little" <lws...@centralva.net> wrote:

news:b7604$47190931$40cba7cb$32...@NAXS.COM:

Where would it go?

$_GET perhaps

--
BootNic Friday October 19, 2007 6:46 PM
Inform all the troops that communications have completely broken
down.
*Ashleigh Brilliant*

[Jonathan N. Little]

BootNic wrote:
> "Jonathan N. Little" <lws...@centralva.net> wrote:
> news:b7604$47190931$40cba7cb$32...@NAXS.COM:
>
>> BootNic wrote:
>>> "Jonathan N. Little" <lws...@centralva.net> wrote:
>>> news:46b3f$4718be9b$40cba7cb$16...@NAXS.COM:

>>>> <form method="post" action="<?php echo $sanitized; ?>">

>>> $_SERVER["SCRIPT_NAME"] may be an alternative.
>>>
>> Yes, but you would lose and legitimate query string parameters if this
>> was a GET process.
>
> Where would it go?
>
> $_GET perhaps
>

Duh! Of course. $_SERVER["SCRIPT_NAME"] also insures trailing characters
are not parsed and removes that method of XSS. Also if the server has
magic quotes enabled helps.