Hidden name= fields question

Re: Hidden name= fields question

"Angus Comber" <angus@NOSPAMit eloffice.com> wrote:
[color=blue]
> <form target="mycart"[/color]

Target Attribute Considered Harmful. It either opens a new window, or
you are playing with frames. Both are _bad_. Don't do target, mm'kay?
[color=blue]
> <input type="image" src="https://www.website.com/btn/click-but.gif"[/color]

Image Submit Buttons Considered Harmful. They win nothing but esthetics
in the deeziner's eye, and they imply accessibility problems.
[color=blue]
> <input type="hidden" name="amount" value="30.00">[/color]

Fine. Now I create a copy of your form, edit that element to contain,
say, value="0.00", and order some stuff for free. If your script
detects that, good for you. But then you didn't need that hidden field
in the first place, did you?
[color=blue]
> But I would rather make this dynamic. Eg I would have a dropdown
> box where user could select eg 1, 2, 3 etc User and amount would
> then be different value.[/color]

And what would be the problem with that, apart from the obvious?
(The obvious part is that it is easier to users to type a number than
to select an item from a dropdown list.)
[color=blue]
> I can create the dropdown no problem but how do I make sure the
> dynamically selected values are sent to mycart?[/color]

You can't, of course. HTML is no programming language. It's a poor
lonesome data format.

As usual, there will probably be someone who tells you to use
JavaScript. I wish I were a more dishonest person and took advantage of
such situations, ordering 1,000,000 widgets for the price of one simply
by disabling scripting on my browser.

--
Yucca, http://www.cs.tut.fi/~jkorpela/
Pages about Web authoring: http://www.cs.tut.fi/~jkorpela/www.html

Re: Hidden name= fields question

Are you saying I need to do this in something like perl?

Angus

"Jukka K. Korpela" <jkorpela@cs.tu t.fi> wrote in message
news:Xns9679958 C636CCjkorpelac stutfi@193.229. 0.31...[color=blue]
> "Angus Comber" <angus@NOSPAMit eloffice.com> wrote:
>[color=green]
>> <form target="mycart"[/color]
>
> Target Attribute Considered Harmful. It either opens a new window, or
> you are playing with frames. Both are _bad_. Don't do target, mm'kay?
>[color=green]
>> <input type="image" src="https://www.website.com/btn/click-but.gif"[/color]
>
> Image Submit Buttons Considered Harmful. They win nothing but esthetics
> in the deeziner's eye, and they imply accessibility problems.
>[color=green]
>> <input type="hidden" name="amount" value="30.00">[/color]
>
> Fine. Now I create a copy of your form, edit that element to contain,
> say, value="0.00", and order some stuff for free. If your script
> detects that, good for you. But then you didn't need that hidden field
> in the first place, did you?
>[color=green]
>> But I would rather make this dynamic. Eg I would have a dropdown
>> box where user could select eg 1, 2, 3 etc User and amount would
>> then be different value.[/color]
>
> And what would be the problem with that, apart from the obvious?
> (The obvious part is that it is easier to users to type a number than
> to select an item from a dropdown list.)
>[color=green]
>> I can create the dropdown no problem but how do I make sure the
>> dynamically selected values are sent to mycart?[/color]
>
> You can't, of course. HTML is no programming language. It's a poor
> lonesome data format.
>
> As usual, there will probably be someone who tells you to use
> JavaScript. I wish I were a more dishonest person and took advantage of
> such situations, ordering 1,000,000 widgets for the price of one simply
> by disabling scripting on my browser.
>
> --
> Yucca, http://www.cs.tut.fi/~jkorpela/
> Pages about Web authoring: http://www.cs.tut.fi/~jkorpela/www.html
>[/color]

Re: Hidden name= fields question

Angus Comber wrote:
[color=blue]
> Hello
>
> I am working with an external perl script. I can submit something like
> this:
>
> <form target="mycart" action="https://www.website.com/cgi-bin/"
> method="post">
> <input type="image" src="https://www.website.com/btn/click-but.gif"
> border="0"
>
> name="submit" alt="Make payments with website!">
> <input type="hidden" name="add" value="1">
> <input type="hidden" name="cmd" value="_cart">
> <input type="hidden" name="business" value="online@m ydomain.com">
> <input type="hidden" name="item_name " value="Widget 1 User (GB)">
> <input type="hidden" name="item_numb er" value="Widget1U K">
> <input type="hidden" name="amount" value="30.00">
> <input type="hidden" name="no_shippi ng" value="1">
> <input type="hidden" name="currency_ code" value="GBP">
> <input type="hidden" name="lc" value="GB">
>
> Then I stick a button on my web page and that is fine.
>
> But I would rather make this dynamic. Eg I would have a dropdown box
> where user could select eg 1, 2, 3 etc User and amount would then be
> different
> value. Then when I post to the cart I can send the relevant amount,
> item_name, etc.
>
> I can create the dropdown no problem but how do I make sure the
> dynamically
> selected values are sent to mycart? eg rather than using:
>
> <input type="hidden" name="amount" value="30.00"> - which is static, I
> will have a variable called amount, where I dynamically set the vlaue.[/color]
Just remove the hidden 'amount' element and replace it by a <select> with
the same name, e.g.

<select name="amount">
<option value="1.00">On e</option>
<option value="10.00" selected="selec ted">Some</option>
<option value="100.00"> Many</option>
</select>

The CGI script does not know and does not care from what kind of form
control the amount value comes from.

--
Benjamin Niemann
Email: pink at odahoda dot de
WWW: http://www.odahoda.de/

Re: Hidden name= fields question

Jukka K. Korpela wrote:[color=blue]
> "Angus Comber" <angus@NOSPAMit eloffice.com> wrote:
>[color=green]
>> <input ... alt="Make payments with website!">[/color][/color]

It's PayPal, obviously. ;)
[color=blue][color=green]
>> <input type="hidden" name="amount" value="30.00">[/color]
>
> Fine. Now I create a copy of your form, edit that element to contain,
> say, value="0.00", and order some stuff for free. If your script
> detects that, good for you. But then you didn't need that hidden field
> in the first place, did you?[/color]

I take it you're not familiar with the PayPal shopping cart.

This is a downside of using the PayPal cart. PayPal doesn't have any
"product" info except what is sent to it via form fields. PayPal does
have an encrypted form data option, but it doesn't work dynamically.
Thus if PayPal is generating the customer receipts, there aren't many
choices.

On the upside is that the PayPal cart isn't likely to be used for any
kind of high volume business, so it's unlikely a cheater trying to get
something for free would go unnoticed. The seller could just cancel the
transaction. It isn't ideal, but is usable (for the seller).

Now you know. :)

--
Reply email address is a bottomless spam bucket.
Please reply to the group so everyone can share.

Re: Hidden name= fields question

Angus Comber wrote:[color=blue]
>
> I am working with an external perl script. I can submit something like
> this:
>
> <form target="mycart" action="https://www.website.com/cgi-bin/"
> method="post">
> <input type="image" src="https://www.website.com/btn/click-but.gif"
> border="0" name="submit" alt="Make payments with website!">
> <input type="hidden" name="add" value="1">
> [...]
>
> But I would rather make this dynamic. Eg I would have a dropdown box where
> user could select eg 1, 2, 3 etc User and amount would then be different
> value. Then when I post to the cart I can send the relevant amount,
> item_name, etc.
>[/color]
Do the dynamic part before arriving at this page. Use server-side
scripting to verify and alter the values accordingly.
As Jukka pointed out, though, your use of hidden fields makes it easy
to send a modified form with all sorts of interesting entries. You'd be
more secure against such an attack using a server-side data store (flat
file, database) to hold the customer state info, and to generate and send
the page to the cart.

--
jmm dash list (at) sohnen-moe (dot) com
(Remove .AXSPAMGN for email)

Re: Hidden name= fields question

"Angus Comber" <angus@NOSPAMit eloffice.com> wrote:
[color=blue]
> Are you saying I need to do this in something like perl?[/color]

Comprehensive quoting is a sure sign of lack of comprehensive reading.
Please read what I wrote, instead of quoting everything. If problems
remain, indicate which part you didn't understand, and ask a specific
well-formulated question.

But yes, that's more or less what I'm saying: you need to understand
how forms work. See http://www.cs.tut.fi/~jkorpela/forms/ for clues.

--
Yucca, http://www.cs.tut.fi/~jkorpela/
Pages about Web authoring: http://www.cs.tut.fi/~jkorpela/www.html