I have GET Method. I want to pass something like Student_id in request but without showing it in URL. I know for that we use POST Method. But I dont want to use POST since I am getting someother issues.
If Student_id is something you don't want the user to have, then don't send it. Ever. There's no way to make it safe once it's in a user's hands.
Perhaps you can use a frame as a mask so the domain doesn't change whilst the form submits. You can sneak a REFRESH header in there for 0 seconds with the _top addition, making it nearly impossible for someone to follow your form's weaknesses.
You can't eat the cake and leave it whole.
Your best option is to encrypt the Student_id somehow, you can have your own simple method if it's not very sensitive data, and you can use more complicated algorithms but it can never be 100% safe.
Another option is to not submit the form at all, but AJAX instead to pass the values to server.
You can not do it.
First learn the difference between get and post method.
Get is used to query something with some parameter and post is used to create or update content in the server via http.
It is better using ajax get if you want to hide the parameters form the user.
Look at these link:
http://api.jquery.com/jQuery.get/
http://api.jquery.com/jQuery.ajax/
Cant help to wonder, what does this have anything to do with java.. However, to understand your problem. I would suggest that you use $_SESSSION or setcookie(); So before sending the user to another page, you would first save the user_id in some form.
Related
I have my client's e-shop, which is created by another company. I want to parse all the products and put them in an xml. I know how to get to the first page of each "brand" but I have difficulties passing the argument to change the page for the paginated results.
This is the e-shop "http://www.gialia.net.gr/ProductCatalog/20/CAR.aspx" that points to one brand.
When I user tamper-data on firefox I see that when you want to press the second-page of the results is posts the :
"__EVENTTARGET=ctl00%24wpmMain%24wp131820866%24wp512420601%24dpgTop%24ctl01%24ctl01"
the last string: "ct101" means go to page 2, If I change it to ct102 it goes to page 3 etc.
BUT i'm trying to create it as a GET request so I can create these parameters dynamically in my Java code and parse each responce. But when I create the url as:
http://www.gialia.net.gr/ProductCatalog/20/CAR.aspx?__EVENTTARGET=ctl00$wpmMain$wp131820866$wp512420601$dpgTop$ctl01$ctl02
I get no results.
Can someone please take a look and give me some suggestions?
The site you give us here is very poor in design concerning the search engines (SEO), and so the parse of the page one by one is too difficult.
To change page is make post back, and with javascript only. So you must do the same to move to the next page of the catalog, you need to make a full post back of the page with all the parameters.
Now, the page is so bad designed that the programmer have disable the __EVENTVALIDATION of the controls probably because he not let him do wrong things, so when you can tamper the data, but still you need to make post back. By simple type on the url one only parametre the code behind did not understand that is post back. You need to send and at least the Viewstate and the rest hidden parameters.
But isn't more easy to just get from your client access direct to the database and reads them from there ?
There's a case that the user change the parameters send to servlet through URL,
is there's any way to restrict user not to change paramters,
if not, how can I manage all parameters send to servlets? in a case they are many, is it reasonable to check each one in turn??
You can't restrict the user from sending you anything.
It is the server-side where you can add restrictions.
Usually you get only the parameters you need, so additional parameters should not bother you.
You definitely should check parameters send to your servlet. Thats basically what you do anyways since thats the way clients (such as webpages) communicate with your application.
The simplest way is to hash the parameters with some hidden secret, and pass that back with the URL, then compare the hash to the URL parameters to make sure they match.
Another way is to not use individual parameters, but encrypt them in to a encoded bunch of characters and the whole thing is decrypted on return.
The hash is easier to implement if you don't care that the user sees the actual parameters.
You cannot avoid someone from typing in the URL, but what you do in your servlet is filter the input recieved from the URL, with some java code.
Example:
Just found an interesting link where a Servlet Filter is used to filter out XSS attacks(As you see, there is no such code that avoids someone to type certain characters in the URL, or similar): Link
Simply put, you cannot stop the users from changing the parameters.
You must do input validation on all parameter values. If you have a variable that contains sensitive information, you do not put that on the URL. A really bad example: http://mydomain.com/myservlet?isAdmin=1. Information such as that needs to go into a session since that is stored on the server and out of the user's reach.
This question is related to a previous question
Passing Variable from page to page using ASP.NET (C#) without using QueryString
The difference in my case is that the request is coming from a different website (in java) to my website (in asp.net). I do not want the variable to appear in url.
Any suggestions !!
To explain my scenario, we are making a webpage(plugin), which can be called from any other website. To authenticate request, i am looking for a mechanism when other website will pass id & auth-key to my page. This i can use to authenticate the request. I do not want these variable to be visible.
A POST operation would work. The variable would still be part of the request, but it would not be readily visible to the user. I say "readily" visible because it won't be part of the requested URL, but it would be visible if they were to use a tool like Firebug. Short of sharing a database or some other form of "out-of-band" communication, I'm not sure it can be done any other way...
Well as chris mentioned doing a POST is the best way to achieve this. Else you can look at using javascript to achieve the same. Its pretty easy to use JS libraries to achieve the same.
Some of them that come to my mind are
a) Jquery
b) YUI
c) EXT (now Sencha i guess)
But I would definitely recommend jquery.
With jquery you have apis to do post operations. here is more on how to achieve the same.
http://api.jquery.com/jQuery.post/
Hope that helps.
I don't think it can be done without a query string. I know sessions won't work because sessions cannot be shared between Java, Asp, Asp.net, Php etc..., at least not nativly. If you have a database where you store the sessions, you can always use a session id in a query string and therefore simulate cross-language-sessions.
I am using wicket application to initiate my Java method in my code. I have the url as follows
http://localhost:8080/web/resources/org.apache.wicket.Application/StartMethod
I want to add an extra option at the end client=cutomser1
http://localhost:8080/web/resources/org.apache.wicket.Application/StartMethod?client=customer1
As I want these use the same code but for different customers
So when I run this URL from command promte it should fetch the Customer1 into my Java code
in this way..
String client = customer1
How can I implement this in Java. I mean I want to fetch this String name customer1
Wicket is strong in data binding and you should take advantage of that.
If you display in the browser data from Customer1, the Wicket knows that when you do requests from that page.
The translation of request parameters to variables happens behind the scene.
That is disconcerting at first but really powerful when used as intended.
I would suggest you select a good tutorial from the answer to this question and go through a couple of examples to see how things are done. This may take an afternoon but this will pay back for itself before the week is out.
I think I am a bit too late, but still I will say that you can use PageParameters in your page and you should make the page bookmarkable.
I'm trying to assign a js variable to java's request or session and want to access it from the server side. I dont want the js variable to be passed on in the URL. Help me, I'm seeking for a solution.
Thanks in advance
JavaScript only runs on the browser, it has no connection to the database except for ajax type calls.
But, you can add data to the post request for example from javascript, and that would get to the servlet, which is probably your best solution.
But, this really depends on which javascript library you are using, though, for more details.
I'm not sure if I understood your question. But if You want asynchronously manipulate "objects in browser" from server it is not possible directly.
There are workarounds, search for reverse ajax.
It sounds like you need to review the difference between GET and POST variable submission. GET will put it in the address (exmple.com/index.html?var=6) and POST will not. After that you'll have to look at your js library to determine how to direct what the variable hooks up to.
The typical most simple way is to use hidden input fields and have your JavaScript fill those input fields with the values you need. When your form gets submitted the hidden input fields will be accessibel in your Java