Validation before posting to an external site
51 views
Skip to first unread message
Stuart Dodds
Apr 5, 2016, 12:42:03 PM4/5/16
to Mojolicious
Currently I have a plain HTML form on my site which does a simple POST request to an external site.
I would like to add a captcha to this form to stop possible robots abusing it. That means that the captcha validation must be done on my end before the form is submitted to the external site. So I have changed the form method to point to a route on my site which handles the validation and captures all the values from the original form.
However, once the validation has passed, I am not sure how to then issue the original POST request to the external site as well as redirecting the user along with the request. Is there a way I can do this?
Thank you,
Stuart
Heiko Jansen
Apr 6, 2016, 4:56:01 AM4/6/16
to Mojolicious
Am Dienstag, 5. April 2016 18:42:03 UTC+2 schrieb Stuart Dodds:
However, once the validation has passed, I am not sure how to then issue the original POST request to the external site as well as redirecting the user along with the request. Is there a way I can do this?
1) You could send a HTTP 307 redirect to your user with the URL of the external site; since all data from the form will be re-send by the browser, the external site will also receive the captcha info - which may or may not cause problems.
2) Depending on the external site you could also make the POST request to the external site yourself and forward the response to your user; obviously that will not work if the external site requires a cookie or some other authentication from the user or if there are additional interactions to be performed by the user after receiving the result. If the external site responds to the POST request with a GET redirect you can send your user there by re-using the URL for your own HTTP 303 redirect.
3) A more fragile approach would be you returning a page with the verified and cleaned-up data in a HTML form plus some JavaScript to automatically submit that form to the external site once it loads in the browser of your user.
Of course, since with solutions 1 and 3 the data exchange happens directly between your user and the external site any validation and sanitation you perform is essentially moot since there´s nothing preventing a malicious user from tinkering with it even after it was checked by you.
HTH
- Heiko
Stuart Dodds
Apr 6, 2016, 6:18:01 AM4/6/16
to Mojolicious
Hi Heiko,
Thanks for getting back to me. Just to make things a little clearer, the external site is paypal and the form I am trying to validate with a captcha is a paypal "Buy now" button. Which is more or less just a submit button with a bunch of hidden fields, but then requires the user to interact with the paypal site to complete the purchase.
First of all, it never even crossed my mind to try to change the form method to GET until you mentioned it in your second point. So I tried it out and it worked! Now I can build the url after the successful validation and use the redirect_to method to send the user off to paypal with the required parameters...thanks for the suggestion!
Thanks for getting back to me. Just to make things a little clearer, the external site is paypal and the form I am trying to validate with a captcha is a paypal "Buy now" button. Which is more or less just a submit button with a bunch of hidden fields, but then requires the user to interact with the paypal site to complete the purchase.
First of all, it never even crossed my mind to try to change the form method to GET until you mentioned it in your second point. So I tried it out and it worked! Now I can build the url after the successful validation and use the redirect_to method to send the user off to paypal with the required parameters...thanks for the suggestion!
1) You could send a HTTP 307 redirect to your user with the URL of the external site; since all data from the form will be re-send by the browser, the external site will also receive the captcha info - which may or may not cause problems.
Just out of curiosity, when I read your first point it sounded like exactly what I needed...and if I can figure out how to implement it, it may be preferable than displaying all the hidden parameters to the user in the url field. How exactly can I do the 307 redirect? Is it something that I can trigger with mojolicious?
Many thanks again!
sri
Apr 6, 2016, 6:48:34 AM4/6/16
to Mojolicious
How exactly can I do the 307 redirect?
Heiko Jansen
Apr 6, 2016, 8:47:08 AM4/6/16
to Mojolicious
Am Mittwoch, 6. April 2016 12:18:01 UTC+2 schrieb Stuart Dodds:
First of all, it never even crossed my mind to try to change the form method to GET until you mentioned it in your second point. So I tried it out and it worked! Now I can build the url after the successful validation and use the redirect_to method to send the user off to paypal with the required parameters...thanks for the suggestion!
To be precise, I actually never mentioned transforming the _submission_ of the form to a GET request (or a redirect employing a GET request)!
Requests changing server-side state should be POST-Requests plus you don´t want to have the parameters show up in the URL field of the browser, webserver logs etc.
_IF_ you could send the POST request from your server to the external site (no authentication issues etc.) and _IF_ the external site used a Redirect-after-POST strategy, _THEN_ you could have re-send the redirect URL received from the external site (as answer to your POST request) onwards to your user. That´s what I tried to describe in strategy 2 - so there´s quite a few preconditions to meet to make strategy 2) a viable solution...
Heiko
Reply all
Reply to author
Forward
0 new messages