Hi



I've just come across a real brainteaser. I have a (recruitment) web site 

which uses an HTML form to add a new vacancy and then a script to process 

the data into the database.

Someone has just proved that it's possible to add a vacancy to the site by 

automatically filling out the HTML form and then automatically submitting 

it. 

The only info required to do this was:

(1) the form URL and script processing URL

(2) the form fields - easily accessible by viewing the form and the source 

code behind the html page.

(3) Appropriate username/password



They cannot FTP to my site, hence cannot change the form 



No, there is no security breach - he has my permission to add vacancies, I 

just can't work out how it's done.

 

The question is: how can one automatically fill out and submit an HTML 

form in this scenario. The person has attempted to explain it and seems to 

be saying that straightforward asp coding will achieve this...



Can't fathom this one....Any ideas anyone ?









Simon Garstin

Are you relying on any Session variables in the non-automated process?



>>> sgarstin@t... 2/26/2002 12:28:37 PM >>>

Hi



I've just come across a real brainteaser. I have a (recruitment) web

site 

which uses an HTML form to add a new vacancy and then a script to

process 

the data into the database.

Someone has just proved that it's possible to add a vacancy to the site

by 

automatically filling out the HTML form and then automatically

submitting 

it. 

The only info required to do this was:

(1) the form URL and script processing URL

(2) the form fields - easily accessible by viewing the form and the

source 

code behind the html page.

(3) Appropriate username/password



They cannot FTP to my site, hence cannot change the form 



No, there is no security breach - he has my permission to add

vacancies, I 

just can't work out how it's done.

 

The question is: how can one automatically fill out and submit an HTML



form in this scenario. The person has attempted to explain it and seems

to 

be saying that straightforward asp coding will achieve this...



Can't fathom this one....Any ideas anyone ?









Simon Garstin




$subst('Email.Unsub').

Yes, as it happens - but not in the automated process. \



Don't see how this will necessarily enable him to call up the form and 

submit it automatically though... 





> Are you relying on any Session variables in the non-automated process?

> 

> >>> sgarstin@t... 2/26/2002 12:28:37 PM >>>

> Hi

> 

> I've just come across a real brainteaser. I have a (recruitment) web

> site 

> which uses an HTML form to add a new vacancy and then a script to

> process 

> the data into the database.

> Someone has just proved that it's possible to add a vacancy to the site

> by 

> automatically filling out the HTML form and then automatically

> submitting 

> it. 

> The only info required to do this was:

> (1) the form URL and script processing URL

> (2) the form fields - easily accessible by viewing the form and the

> source 

> code behind the html page.

> (3) Appropriate username/password

> 

> They cannot FTP to my site, hence cannot change the form 

> 

> No, there is no security breach - he has my permission to add

> vacancies, I 

> just can't work out how it's done.

>  

> The question is: how can one automatically fill out and submit an HTML

> 

> form in this scenario. The person has attempted to explain it and seems

> to 

> be saying that straightforward asp coding will achieve this...

> 

> Can't fathom this one....Any ideas anyone ?

> 

> 

> 

> 

> Simon Garstin




> $subst('Email.Unsub').

If you have a form that has a field called "username" and by pressing

the submit button it sends it to another form.  In the called form you

take the Request("username") field and load it into a DB.  This is what

is sounds like to me you are doing.  The called form does not care where

it came from.  It just checks the request object for that field and it

works.  Lets say the called form is called execute.asp.  The same

variable could be bassed in like this "execute.asp?username=3Dbob" and 

the

code would take it like it came from a form.  Not sure if I am getting

at what you want here, but hope it helps.



Chris





***************************



howto] Re: Automatically fill out HTML form



Yes, as it happens - but not in the automated process. \



Don't see how this will necessarily enable him to call up the form and

submit it automatically though...





> Are you relying on any Session variables in the non-automated process?

>

> >>> sgarstin@t... 2/26/2002 12:28:37 PM >>>

> Hi

>

> I've just come across a real brainteaser. I have a (recruitment) web

> site

> which uses an HTML form to add a new vacancy and then a script to

> process

> the data into the database.

> Someone has just proved that it's possible to add a vacancy to the

site

> by

> automatically filling out the HTML form and then automatically

> submitting

> it.

> The only info required to do this was:

> (1) the form URL and script processing URL

> (2) the form fields - easily accessible by viewing the form and the

> source

> code behind the html page.

> (3) Appropriate username/password

>

> They cannot FTP to my site, hence cannot change the form

>

> No, there is no security breach - he has my permission to add

> vacancies, I

> just can't work out how it's done.

> 

> The question is: how can one automatically fill out and submit an HTML

>

> form in this scenario. The person has attempted to explain it and

seems

> to

> be saying that straightforward asp coding will achieve this...

>

> Can't fathom this one....Any ideas anyone ?

>

>

>

>

> Simon Garstin




> $subst('Email.Unsub').

Hi Chris,



thanks for taking the time to reply...

the snag is that in my scenario the called form you refer to is actually an

HTML web page with a form inside it - not an asp file.

To outline it more clearly stage by stage:



(1) User fills out Form1 on page1.htm and presses submit

(2) Data gets sent to page2.htm (note an HTML file not an ASP file) and (by

some mysterious process) the data populates the appropriate fields in an

identical Form2 on page2.htm.

(3) The 'submit' button is AUTOMATICALLY pressed on Form2.

(4) The data sent on to a processing script proc.asp for insertion into the

database etc..



** The user never sees page2.htm come up on the screen. **



The above scenario is of course pointless in itself - but it's simplified to

make clear what the real question is.



The question is - how do steps (2) and (3) take place ? It has been proved

to me that this is possible but I can't work out how.



Hope it is clearer.





Simon Garstin



----- Original Message -----

From: Chris R. Thompson <cthompson@n...>

To: ASP Web HowTo <asp_web_howto@p...>

Sent: Tuesday, February 26, 2002 6:50 PM

Subject: [asp_web_howto] Re: Automatically fill out HTML form





If you have a form that has a field called "username" and by pressing

the submit button it sends it to another form.  In the called form you

take the Request("username") field and load it into a DB.  This is what

is sounds like to me you are doing.  The called form does not care where

it came from.  It just checks the request object for that field and it

works.  Lets say the called form is called execute.asp.  The same

variable could be bassed in like this "execute.asp?username=bob" and the

code would take it like it came from a form.  Not sure if I am getting

at what you want here, but hope it helps.



Chris





***************************



howto] Re: Automatically fill out HTML form



Yes, as it happens - but not in the automated process. \



Don't see how this will necessarily enable him to call up the form and

submit it automatically though...





> Are you relying on any Session variables in the non-automated process?

>

> >>> sgarstin@t... 2/26/2002 12:28:37 PM >>>

> Hi

>

> I've just come across a real brainteaser. I have a (recruitment) web

> site

> which uses an HTML form to add a new vacancy and then a script to

> process

> the data into the database.

> Someone has just proved that it's possible to add a vacancy to the

site

> by

> automatically filling out the HTML form and then automatically

> submitting

> it.

> The only info required to do this was:

> (1) the form URL and script processing URL

> (2) the form fields - easily accessible by viewing the form and the

> source

> code behind the html page.

> (3) Appropriate username/password

>

> They cannot FTP to my site, hence cannot change the form

>

> No, there is no security breach - he has my permission to add

> vacancies, I

> just can't work out how it's done.

>

> The question is: how can one automatically fill out and submit an HTML

>

> form in this scenario. The person has attempted to explain it and

seems

> to

> be saying that straightforward asp coding will achieve this...

>

> Can't fathom this one....Any ideas anyone ?

>

>

>

>

> Simon Garstin




> $subst('Email.Unsub').








$subst('Email.Unsub').