CODEWITHSUNDEEP
javascriptphphtml
ax752
ax752

Reputation: 142

POST request with href

I'm trying to make a post request with href requests( I need my page to redirect to the page after with a parameter in the url) Here's the code that checks the POST request if it can help:

if ($_POST['pw'] == 'password') {
    echo ('<iframe height="100%" width="100%" scrolling="no"  src="html/book.html?pw=passcode&ver=2014_09_29_11:08&" allowfullscreen webkitallowfullscreen mozallowfullscreen />');
} else {
    die ("<h1>Access Denied !</h1>");
}

Upvotes: 0

Views: 6607

Answers (3)

Billy
Billy

Reputation: 2448

if ($_POST['pw'] == 'password') {
    header('location:#####FULL URL HERE#######');
 else {
    die ("Invalid password");

Upvotes: -1

lxg
lxg

Reputation: 13107

With plain HTML, you cannot send a href request as POST, they are GET requests by definition.

But, you could use JavaScript to intercept the call and submit a hidden form. Here's an example. I'll use jQuery, but of course this can also be done with plain JS.

<a href='somepage.php' id='mylink'>link text</a>

In the JS, we catch the click event and insert a form on the fly which we will send via POST afterwards. Of course, you don't need to generate the form with JS, you can as well insert the form as plain HTML directly into the page.

$("#mylink").click(function(event){
  event.preventDefault(); // don't "execute" the link

  var $form = $("<form action='somepage.php' method='post' style='display: none' target='_blank'>" +
    "<input type='hidden' name='foo' value='bar' />" +
    "<input type='submit' />" + 
    "</form>").appendTo($('body'));

  $form.submit();
});

As you're composing the template in PHP anyway, you can insert the correct input elements and the action attribute of the form on the server side.

The sophisticated way, however, would be to parse the URL in the href attribute of the link. But that's a whole different topic, so I'll omit that for the sake of brevity.

Security warning: It is of course a good idea not to send passwords via GET requests. However, this solution expects that JS is enabled on the user's browser. If it isn't, or the code doesn't work, the request will be sent via GET anyway.

The proper way would be to use a real <form> element or AJAX to send post requests.

Upvotes: 1

Sammitch
Sammitch

Reputation: 32232

No, you cannot make an HTTP POST request with either a src or an href attribute, only HTTP GET requests can be made this way.

GET requests pass their parameters in the URL via the query string and have empty request bodies. They look like:

GET /page.php?var1=foo&var2=bar HTTP/1.1
Host: www.example.com

POST requests pass their parameters in the request body. They look like

POST /page.php HTTP/1.1
Host: www.example.com

var1=foo&var2=bar

You may make a POST request that also includes GET parameters, but this is technically bad practice and relies on having tolerant web servers and CGI gateways that allow this. eg:

POST /page.php?var1=foo HTTP/1.1
Host: www.example.com

var2=bar

Given the context of your question it should be mentioned that POST requests are only marginally more secure for password transmission because they do not include the password in the query string which might be logged by the server or stored in the history of the browser. However, they are still transmitted in plain text,which should be apparent from the above examples.

Use SSL.

Additionally, any information returned to the client will likely be cached in the browser, so sending back <iframe src="/page.php?password=foobar ...> is also very bad security practice. Use sessions for local authentication and passwordless authentication schemes like OAuth for remote authentication.

Upvotes: 2

Related Questions