I have previously used PHP CURL to submit web forms by using the post URL.
I'm trying to automate the process of logging into a website, I can't change server side code.
The submit button on the HTML form uses the action of javaScript:submitForm() how can I submit information to this form using PHP.
Is CURL still an option?
Thanks!
You'll need to find the function declaration for submitForm and see where it is posting to. Then you can use php and curl to submit.
Edit:
Since the submitForm function doesn't change the form action, you can still use the action in the form tag.
Regardless of how client-side code is crafting the form submit, it still needs to send an HTTP request to the server. If you can do this manually by interacting with the site in question, then capture that request using browser debugging tools (FireBug, Chrome dev tools, etc.). That should have all of the information needed to craft a custom request of your own.
Note, however, that the website in question might have measures in place to prevent something like this. Especially if they're using a framework that handles the form posts for them (such as ASP.NET WebForms or anything like that). They may be emitting a form field to the page which contains a one-time-use token to be validated in the subsequent form submit request. If that's the case, any time you want to craft an automated form submit you'll first need to craft an automated request to parse out that token so you can use it in your submit.
If they take even more involved measures to prevent what you're doing, then you're going to have more of an uphill battle automating it.
Related
I am building a web app that contains a form. Currently, the user enters data into this form, which is saved in my database. Then the user opens a 3rd party website where it enters a subset of the exact same data into a form on that website.
Ideally, on submitting the form on my website, I would like to open the 3rd-party website in an iframe with its form prepopulated with the data already collected from my form. The obvious goal is to prevent the user from having to enter this same data twice, first on my form and second on the 3rd party form. Another benefit would be the lack of focus from my site as the user would need to complete additional steps after submitting the form on the 3rd party site.
I know that there are ways to prepopulate forms on other websites. For instance, Google Forms allows for forms to be prepopulated by passing values to the corresponding inputs' name attributes in a query string. Here's an example I created to demonstrate this (notice the query string.): https://docs.google.com/forms/d/e/1FAIpQLScqua9AJLvRgCuH8o-XfAGeZcbue9ND7a4z2JM5EcAuVqAwag/viewform?vc=0&c=0&w=1&entry.2020941857=Whatever+and+whatever&entry.473490210=foobar
Unfortunately, the "target" website does not appear to handle the incoming GET requests in a similar manner, which obviously should come as no surprise. Of course, it can't always be that easy. I can't even manipulate the values of the inputs in the target website's form by manipulating the DOM using Chrome DevTools (not that I would have any real understanding how that would help me even if I could).
Furthermore, the form doesn't even submit using an action attribute. Instead, here are the form and button elements that I admittedly don't understand (omitting some attributes for brevity's sake):
<form name="theForm" ng-submit="submitForm(theForm.$valid)"
no-submit-on-enter="" novalidate="">
<button class="btn btn-full ng-binding" type="submit" id="send-form"
track-event="{category: 'theFormSubmit', action: 'clicked'}"
skip-click-tracker=""> Submit </button>
</form>
I have also tried using DevTools to watch the headers as I submit information using the form. The headers don't appear to change when I click the button. In fact, there appears to be no activity at all in the Network tab when I click the button. I don't see any "Form Data" at all. But it's possible I'm misunderstanding what I'm seeing.
For what it's worth, it appears that the target relies heavily on Angular.js, which I know practically nothing about, so I'm not sure if its even relevant. I also am aware that iframes cannot be manipulated by javascript on my site unless it is of the same domain, which it is not. I briefly looked into phantom.js, but (from the little I understand) it appears that there would be an issue with maintaining the user's session on the target site. A reload would be required which would wipe out the prepopulated data defeating the entire purpose.
Anyway, I'm left wondering if there is some way to achieve my goal using PHP curl or really anything. As a side note, in case it is not already obvious: I do not have access to the full source code of the target website nor will I likely be able to obtain access to it.
UPDATE:
Using DevTools Network Tab, I again tried submitting the form with one of the inputs being the first name of Jude. I was finally able to isolate the header that contained the information by filtering by "Jude". The redacted header info and request URL are below:
I feel like I am finally getting somewhere. Based on the above, I feel that I might actually be able to submit the form data to the 3rd party website (sidestepping the actual entering and submitting of that website's form). Because I was using the UI, I could see that the form was submitted successfully, and I had visual cues for how that information was being dealt with. However, the HTTP 204 header (No Content) seems to indicate that if I send the information programmatically, there will be nothing returned for me to analyze success or failure of the form nor how the information is being dealt with. Ultimately, in the end, this may all be a red herring regardless because I am not sure how I would deal with the browser_session_id part of it anyway.
If you are using an iframe you might be out of luck, since browser cross origin policies will deny your JavaScript from tampering with the DOM in the IFRAME.
If the target website is simple enough, you can proxy over the whole form request and responses, cookies, and headers thorough your server (especially if you are using PHP) and then you are free from cross origin problams since the browser will see them as one origin
then you could access the iframes DOM
window.frames[0]...
or the anguler scope using
angular.element("#appname").scope()
I would like to ask this because if no quite sure that it secure.
I am planning on changing my page to ajax based registration. So my data will be inserted using jquery ajax post.
But if someone uses firebug and see where my post is being sent, they can use other form of firefox addons to post data on that url and can easily register without going to my page.
Although I can validate the request first where it is comming from though but that would be extra codes and work.
I will also add server validations for my form since someone can register without validation using the direct url that they will see on firebug.
I just wanted to know if there is already a standard procedures in applying ajax based data post.
But with ajax based select / fetch is cool and very useful.
Currently this is what I am planning on doing on my registration page.
validate that all request's must come from my registration page.
might use a transaction / request code
might use cookie
might use session
might use date time comparisson
if validation fails I should have a form validation on server side
to clean my the posted data before inserting to db
Never trust a UI.
Whether you do an Ajax post or a standard post, people can figure out what you are posting and create their own client. Even if you use https, the person controlling the browser can see what is posted and decipher the protocol.
You need to create your service so that it is not vulnerable to a user handcrafting a client.
If a user can use their browser to register on your site via Ajax, they can spoof the registration using some other programming language. There isn't anything you can do to make it so they can only register from your site via Ajax.
You can implement tricks to make it difficult for them to figure out, but you can't make it impossible. They can spoof the referrer, load other pages to get the required cookies/session variables, spoof Ajax request headers etc.
When my form loads on the page, the submit button is disabled by default. Is it possible for a user to submit the form with this submit button disabled? (Either maliciously or by accident.)
I ask because I have the form information being validated by Javascript upon submit, but I of course am validating the information in my PHP script. That being said, do I need to really validate that information on the server side? The submit button becomes enabled via Javascript. So, if a user disables JS (thus getting by the JS validation), can they even submit the form? My guess is no, but I am looking for a firm answer.
If the answer is no, then I don't really need to do the PHP validation because the user CANNOT get by the JS validation, correct?
Thank you!
Yes, the person can "submit the form" even if it is disabled. He can submit it even if there is no form at all. He can simply send an HTTP request to the page that processes the form with the needed fields. It is highly discouraged to rely on JavaScript for validation.
A user can bypass a disabled submit button, and any client side restrictions for that matter. There is no such thing as client side security. To deal with hackers, you must always put your validation on the server side. Client side validation is just for appearances.
To be specific, they could bypass the disbaled submit button in the following ways:
Enabling it via a JavaScript console (e.g Firebug)
Enabling it via editing the DOM.
Just sending an HTTP request directly without using the form
Yes. There are a number of ways. If the form has a text field, it can be submitted using the return button (unless you actively prevent that using JavaScript). Also, any halfway clever user can use FireBug or some other tool to edit the source of your page on the fly and enable the submit button if they like.
You need to validate on the server side also. Just in case if javascript is off in the client side, or he tampers with the code using firebug and other similar tools.
Assume the user has complete control of the client side, and can read and write whatever he wants over the network using browser/scripts/command line apps/etc...
This means you must validate server side to be sure of sanitized response.
I'm preparing my paypal system and have a separate page that forwards the user to paypal. This page currently creates a form with all the needed hidden fields and then submits itself using
<body onload="form1.submit()">
However, when Javascript is not activated, the user gets stuck at this page.
What other method could I possibly use directly in PHP to solve this problem?
Just do the relevant request in PHP, for example using the curl binding.
PHP uses the header() directive, in which you can forward someone to another url. Not sure about your other information. If PayPal allows that to be sent in the GET string, this could work for you. If it has to be POST, then you're probably out of luck.
Or, you can use the cURL library if PayPal returns a url for you to forward the user to.
Another option may be to allow the user to physically click the submit button for the form, and use JS to hide the form itself or something.
PHP runs on your server, so without an intermediate language (like JavaScript), you are out of luck.
When you view a PHP page, the PHP engine runs the code, gets the output, and serves a plain ol' HTML page to the user. The user never interacts directly with the PHP code, only with the output.
As indicated before, you can fall back on a header() redirect with GET parameters.
header('Location: https://www.paypal.com/cgi-bin/webscr?cmd=_xclick&business=youremail#example.com&amount=1¤cy_code=USD');
Just append the URL with any parameters you need in name=value pair format, a list of which you can find here: https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=developer/e_howto_html_Appx_websitestandard_htmlvariables
Why not just provide a more manual solution for users with Javascript disabled?
E.g. if the user has Javascript disabled, just show a submit button where they can manually move themselves along to PayPal?
Presumably, users with Javascript disabled are somewhat accustomed to a lower quality of service across the web.
So I am very new to this concept.
So why not go headfirst :) Some things I don't understand;
What happens if js is disabled?
If using mysql databases (ie; checking forms and such) why not just use php?
To confirm what others have said, disabling Javascript will also disable the AJAX call. After all, AJAX stands for "Asynchronous Javascript and XML".
To address why you can't just use PHP, there are some things that just can't be done without it. PHP is great to load the page with the initial information, but after the page is loaded, it actually requires the page to be reloaded to load something else. AJAX allows you to get around this hassle.
For your example of form validation, AJAX can be used to validate the information while the person is filling it out. Otherwise, you are required to reload the page each time someone fills out another field in the form.
Another example is from a project that I have worked on. The form required a zip code and would load the appropriate city and county based on the inputted zip. Using strict PHP, I would need the client to download the entire zip table embedded in the HTML/JS (which would add another 100k at least to the download).
Using AJAX, I can get around this. The user can input the zip code, which triggers an AJAX call that downloads the few rows that I need (this will be less than a few hundred bytes, for comparison).
[Edit:] Also, a tip because you said that you were new to AJAX. If your dealing with some form of authentication (logging in, etc.), remember to validate the user on the AJAX pages themselves. Otherwise, tricky users will be able to access sensitive information for your database.
Ajax just adds to the user experience and allows a web application to feel more like a desktop application to users. So they can delete a record and stay on the same page without reloading, you just let the record disappear.
And remember to validate on the server-side, even if you validate on client-side. Your weakest at your client-side as someone can easily just submit the values straight to your script so ALWAYS check on the server-side and do client-side if you would like to add some nice effects etc.
But you will always need to keep in mind that there are people out there who have javascript disable be it a security policy or just because their paranoid. So when you don't have JS enabled you javascript and AJAX requests won't work. So while developing you will need to make sure that if javascript is not their to do the operation that the form is submitted just like a normal HTTP form, this will allow all those paranoid people to also use your application :D.
OR you could always just deny access to those who don't have Javascript enabled but that's not very nice ... So if you want to check if they have javascript enabled checkout - http://www.w3schools.com/TAGS/tag_noscript.asp - for a example.
AJAX is a Javascript client based technology. If js is disable it simply doesn't work.
Php is a server based technology.
In Php you write pages that are dinamically built by the server. Once built they are sent as html to the client.
Using javascript (and Ajax) you can call the server just to request some datas (hint: look at JSON) or just a little html snippet which is plugged in the current page directly by the browser without requesting a full refresh from the server.
With js and AJAX you can achieve a very rich client experience without reloading a full page every time.
I believe nothing will happen if js is disabled. You need js to grab the data.
If you want to use mysql databases, you can use js to access a php script, which can then return any data gathered from a database, rather than doing it in the page.
AJAX is a way for Javascript (client side) to access PHP/ASP/Whatever serverside language you are using. This means, that if you have an PHP script for getting some data from your MySQL database, and want to run that script when the user clicks some random button, AJAX can do that (async)m and you wont have to reload you page to execute the PHP script.
If Javascript is diabled, AJAX won't work.