Re: passing variables in POST

Tue, 25 Jun 2002 04:31:18 -0700 

Marty --

...and then Marty Landman said...
% 
% At 06:06 AM 6/25/02 -0500, David T-G wrote:
% 
% >If the variables are in the page to be in the form to be
% >sent back via POST, then the user can find them, period.
% >
% >Try it yourself: set up something via POST and then surf to the page
% >and then "view source" or the equivalent in your browser (and if there
% >isn't an equivalent then find a browser, even if just for a moment,
% >that DOES have it) and look and see your data hanging right out there
% >for all to see.
% 
% David,
% 
% Sorry but I don't get what you mean here. When I have a page call a program 
% with info from a form being posted then the program picks up the data and 
% then creates whatever output web page is appropriate. The posted data comes 

Right.  That makes sense.  So you have something like

  page1       script            page2
  form   -->  think...      ->  some
    var1        process...        output

right?


% in via STDIN so unlike a GET where the data is actually part of the URL, in 
% a POST it isn't viewable from the browser.

When you have page1 loaded and you're about to press the submit button
to send it, and your secret var1, off to the script, don't; instead,
view the page source and you will see the form structure and the hidden
(note that "hidden" simply means "don't bother to try to display on the
page", not "secretly encrypted or made to disappear so that nobody can
find it") variable right there.


% 
% If I'm all wrong about this please give a specific example... and sorry if 
% I'm being thick. Also I'm not claiming that POST is safe as is, that's what 

I trust that the example above will either illustrate the problem *or*
clarify any confusion; it's certainly possible that I'm misunderstanding
the process you propose.

Your turn to tell me if *I* am being thick :-)


% SSL is for to encrypt the data between the server and client and vice 
% versa. Only I don't get the exposure you're talking about. Didn't realize 
% that STDIN was part of the browser's viewable source code.

Well, the browser has to know what to send back to your script as STDIN,
no?  And if it knows what to send, then it must have that on the page
somewhere, no?  And if it's on the page somewhere then the user can see
it, no?


% 
% Marty
% 
% --
% SIMPL WebSite Creation: http://face2interface.com/Home/Demo.shtml


HTH & HAND

:-D
-- 
David T-G                      * It's easier to fight for one's principles
(play) [EMAIL PROTECTED] * than to live up to them. -- fortune cookie
(work) [EMAIL PROTECTED]
http://www.justpickone.org/davidtg/    Shpx gur Pbzzhavpngvbaf Qrprapl Npg!

Attachment: msg05535/pgp00000.pgp
Description: PGP signature

Reply via email to