Solved

Passing param settings in as a parameter value in <A>

Posted on 1998-09-02
19
287 Views
Last Modified: 2013-12-25
This question is really an HTML one, but it also involves CGI, hence my posting it here.

I want to create an <A> link that passes as a parameter values, some values that will be passed to a further page. For example, normally I would have some like this in my page:

<A HREF="/cgi/cgiproc?nocfile=/manage/bdy_ip.htm&sPage=bdy_hlth.htm&sPageDesc=%22Health+Check%22&sPageIcon=/img/healthck.jpg" target="_self">Other</A>

Here I'm passing parameters called:
  sPage
  sPageDesc
  sPageIcon
with respective values of:
  bdy_hlth.htm
  %22Health+Check%22  (equivalent to "Health Check")
  /img/healthck.jpg

What if I want to pass a parameter with the name:
  sReqParams
and the value (containing settings for two other parameters)
  sLogin=Configure&sDN=Du=Employee,+ou=QA,+o=My+Corp,+c=US::4

So that the HTML page can use the value of sReqParams when calling another page to pass the value for sLogin and sDN parameters to the second page.

I've tried various quoting strategies and nothing seems to work.
0
Comment
Question by:bernfarr
  • 9
  • 4
  • 3
  • +3
19 Comments
 
LVL 1

Expert Comment

by:Patricia080698
ID: 1828465
This is easy to do. All you need to do is add inside your <form...> an input field that is hidden. For example,
<form...>

<input type="hidden" name="sReqParams" value="insert the value   here">

</form>

Now when you send this form through submit, a field named sReqParams will be sent to with the value that you assined to it.
If you have any questions don't hesitate and post a comment. Best of luck to you.
0
 
LVL 84

Expert Comment

by:ozo
ID: 1828466
<A HREF="/cgi/cgiproc?sReqParam=sLogin%3dConfigure%26sDN%3dDu%3dEmployee,%2bou%3dQA,%2bo%3dMy%2bCorp,%2bc%3dUS::4"
 target="_self">Other</A>
0
 
LVL 8

Expert Comment

by:jbirk
ID: 1828467
bernfarr,
I think the easiest way to do something like this is to have javascript do your url encoding for you.  So your <A HREF would be:
<A HREF="JavaScript:assemble_url()">link</A>
And then a function named assemble_url() which calls
escape() on any strings you want appended to the url and then appends them all together and does a:
location=assembled_url;

Does that make any sense?
I think it's the easiest way!
Best of luck!
-Josh
0
 
LVL 2

Author Comment

by:bernfarr
ID: 1828468
Patricia

Using a Hidden won't work because I'm getting to the other page via a URL in a <A>...</A> tage. The hidden variables don't get passed to the new locaiton. (It would make things messy if they did in general, because hyperlinks to a new location would potentially swamp that location with a load of unexpected parameters)

Bernard
0
 
LVL 2

Author Comment

by:bernfarr
ID: 1828469
ozo

I tried your suggested approach before I entered this question. I've also tried enclose the required value in single quotes, with no luck.
0
 
LVL 8

Expert Comment

by:jbirk
ID: 1828470
Have you tried my suggestion yet?
If you need help, I can write up the javascript function for you, but I know you are a capable javascript programmer.  The key in this case is applying the escape() function to each name and value and then appending them all together with the '&' and '=' symbols.
-Josh
0
 
LVL 2

Author Comment

by:bernfarr
ID: 1828471
Hi Josh

I'm experimenting with it right now. Some of the value components are assembled on the server at page build time, and then I'm using JavaScript to try and assemble a new target value for the link object. Because of the strangeness of our CGI language (it's home grown and fairly primitive) I'm trying to use hidden variables to pass in the arguments, rather than in the function call itself and this is causing some errors. Anyway, I'll know fairly soon whether or not it works.

Bernard
0
 
LVL 2

Author Comment

by:bernfarr
ID: 1828472
I've completed an experiment, with no success. Of course the problem could be in how our HTTP server interprets the arguments. I have no way of testing it out on a more 'normal' server.

I have the following JavaScript code:

function escapeParams(theField)
{
      var theForm = document.dataForm;
      var theLink = document.links[0];

      var Params = theForm.varParams.value;
      var escParams = escape( Params );
      var newHref = '';

      newHref += theLink.protocol + '//';
      newHref += theLink.hostname + '/';
      newHref += theLink.pathname;
      newHref += theLink.search;
      newHref += '&sReqParams=' + escParams;

      st = 'Params [' +  theForm.varParams.value + ']<BR>';
      st += 'escParams [' +  escParams + ']<BR>';
      st += 'Before [' + theLink.href + '] <BR>  After [' + newHref + ']';


      var nw = window.open( "", "Debug_Output", "resizable,width=500, height=300" );
      var d = nw.document;
      d.write('<HTML><head></head><BODY>' + st + '</BODY></HTML>' );
      d.close();

      theLink.href = newHref;
}

The values output in the debug window are:
Params [svELogin=Configure&svGKey=ou=Employee, ou=QA, o=Bay Networks, c=US::4]
escParams [svELogin%3DConfigure%26svGKey%3Dou%3DEmployee%2C%20ou%3DQA%2C%20o%3DBay%20Networks%2C%20c%3DUS%3A%3A4]
Before [http://bftarget/manage/cgi/cgiproc?nocfile=/manage/bdy_filt.htm&sReqPage=bdy_grp.htm&sReqPageDesc=%22Groups+Page%22]
After [http://bftarget/manage/cgi/cgiproc?nocfile=/manage/bdy_filt.htm&sReqPage=bdy_grp.htm&sReqPageDesc=%22Groups+Page%22&sReqParams=svELogin%3DConfigure%26svGKey%3Dou%3DEmployee%2C%20ou%3DQA%2C%20o%3DBay%20Networks%2C%20c%3DUS%3A%3A4]

and the appropriate HTML code for the hidden and link declarations are:
<input type=hidden name="varParams" value="svELogin=Configure&svGKey=ou=Employee, ou=QA, o=Bay Networks, c=US::4">
<A HREF="/manage/cgi/cgiproc?nocfile=/manage/bdy_filt.htm&sReqPage=bdy_grp.htm&sReqPageDesc=%22Groups+Page%22" name="toFilters" onClick="escapeParams(this)" target="_self">Add Filter</A>

Anyone care to try and cobble together some code and see what happens with their server?

0
 
LVL 8

Expert Comment

by:jbirk
ID: 1828473
As a side note, using the onClick to change the href may not be as browser safe.  You might be better off making it like this:
<A HREF="JavaScript:escapeParams('/manage/cgi/cgiproc?nocfile=/manage/bdy_filt.htm&sReqPage=bdy_grp.htm&sReqPageDesc=%22Groups+Page%22')" name="toFilters" target="_self">Add Filter</A>

And then at the bottom of the function instead of:
theLink.href = newHref;
use:
location=newHref;

I think will be more compatible, but as far as checking on a server, I will give it a shot later if no one else has looked into it.
Best of luck!
-Josh
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 2

Author Comment

by:bernfarr
ID: 1828474
I rejected an answer in the HTML questions that should have been proposed here. I also gave an explanation of what I was trying to accomplish. I thought that explanation might help someone here suggest another approach.

My code is displaying a page that is the result of executing scriptA with some parameters passed in. From the screen, the user hyperlinks to a screen that is displayed in scriptB. When building the HTML to display inside scriptB, I need to output a generated hyperlink that will take me back to the same place within scriptA. That means that the hyperlink back to scriptA must contain all:
  par1=val1&par2=val2....
settings that caused the appropriate screen to be displayed before the hyperlink occurred.

I think this could be accomplished using cookies. Because our server is being used in a secure location, I'm not sure that cookies are an acceptable approach.

0
 
LVL 12

Expert Comment

by:Otta
ID: 1828475
> My code is displaying a page that is the result of executing
> scriptA with some parameters passed in.
> From the screen, the user hyperlinks to a screen
> that is displayed in scriptB.

scriptA needs to generate HTML containing hyper-links like:

<A
HREF="/cgi/scriptB&user=BernFarr&par1=val1&par2=val2....">
link to script B </A>

> When building the HTML to display inside scriptB, I need to
> output a generated hyperlink that will take me back to the
> same place within scriptA.

scriptB needs to generate HTML containing hyper-links like:

<A
HREF="/cgi/scriptA&user=BernFarr&par1=val1&par2=val2.... ">
link to script A </A>

> That means that the hyperlink back to scriptA must contain all:
>   par1=val1&par2=val2....
> settings that caused the appropriate screen to be displayed
> before the hyperlink occurred.

I think that the above description will do that.

> I think this could be accomplished using cookies.
> Because our server is being used in a secure location,
> I'm not sure that cookies are an acceptable approach.

In a "secure" environment, I think that the use of "cookies"
would be _LESS_ of a problem, rather than _MORE_ of a problem.
What are your reservations about using "cookies" ?
0
 
LVL 2

Author Comment

by:bernfarr
ID: 1828476
Otta

This is a reasonable summary of the problem. However, there are additional parameters passed into scriptB that must not be passed back into scriptA. This is where, I think, the CGI work might come in.

Note: because of the string lengths, I am bounding them with [] in the examples that follow.

Imagine that the original call to scriptA was:
  [http://mytarget/cgi/cgiproc?nfile=/grp.htm&sGrp=Original&sParam1=%22dn%3Dfarrell,%20ou%3DQA%22&sParam2=145]

and that the 'normal' call to scriptB is:
  [http://mytarget/cgi/cgiproc?nfile=/filt.htm&sPage=bdy_grp.htm&sDesc=%22Group+Page%22]

What I think you are suggesting is that I can simply construct, in the server, a hyperlink to scriptB, that is actually:
  [http://mytarget/cgi/cgiproc?nfile=/filt.htm&sPage=bdy_grp.htm&sDesc=%22Group+Page%22&sGrp=Original&sParam1=%22dn%3Dfarrell,%20ou%3DQA%22&sParam2=145]

and then, I guess, replace the first parameter value in the scriptB reference, with the required one for scriptA when scriptB does the processing. This ignores the fact that in some cases, both scriptA and scriptB might share other parameters with differing values. It also makes it much more likely that the arguments may exceed string size limits. (An alternate approach might still have this problem for some of our scripts)

Now the REAL question is, how would I do this within scriptB? Combining the hyperlink arguments in scriptA is the easy part, it already knows the parameters needed to get me to a certain place within the CGI code.

Within the scripting language that we use, I cannot obtain a simple string showing the arguments (the link.search equivalent). That is why I wanted to ability to pass all arguments needed for scriptA in as the value for a single parameter to scriptB.

I think there is probably a way to do it that combines both client and server code. In the meantime I am examining the HTTP server code to see if there is a way around it.

With regard to cookies. What I really meant to say was that the environment was security-conscious. Therefore we have users that use specially tailored versions of IE3(!). I believe that some users are not allowed to enable cookies for fear of what other sites might use them for.
0
 
LVL 12

Expert Comment

by:Otta
ID: 1828477
> However, there are additional parameters passed into scriptB
> that must not be passed back into scriptA.
> This is where, I think, the CGI work might come in.

That's exactly the "strength" of CGI -- the ability to "select"
only the "wanted" parameters.

> Note: because of the string lengths,
> I am bounding them with [] in the examples that follow.

Note: for clarity of expression, but sacrificing correct syntax,
I've "resolved" the '%hh' coding-scheme,
and have split the lines.

> Imagine that the original call to scriptA was:

[http://mytarget/cgi/cgiproc?
 nfile=/grp.htm
 &sGrp=Original
 &sParam1="dn=farrell, ou=QA"
 &sParam2=145]  

 and that the 'normal' call to scriptB is:

[http://mytarget/cgi/cgiproc?
 nfile=/filt.htm
 &sPage=bdy_grp.htm
 &sDesc="Group+Page"]
 

> What I think you are suggesting is that I can simply construct,
> in the server, a hyperlink to scriptB, that is actually:

[http://mytarget/cgi/cgiproc?
 nfile=/filt.htm
 &sPage=bdy_grp.htm
 &sDesc="Group+Page"
 &sGrp=Original
 &sParam1="dn=farrell, ou=QA"
 &sParam2=145]

> and then, I guess, replace the first parameter value in the
> scriptB reference, with the required one for scriptA when
> scriptB does the processing.

Agreed.

> This ignores the fact that in some cases, both scriptA and
> scriptB might share other parameters with differing values.

That shouldn't be a problem.
When scriptB is executed, it can retrieve both the variable-names,
and their values, which were passed, namely:

 nfile=/grp.htm
 &sGrp=Original
 &sParam1="dn=farrell, ou=QA"
 &sParam2=145

> It also makes it much more likely that
> the arguments may exceed string size limits.

Which language are you using to write your CGI,
and what limitations does it enforce?

Surely, when 16,777,216 bytes of RAM costs about $16.00 (US),
a "size-limit" of, say, 16,384 bytes (costing less than $0.02),
will be sufficient for your needs?

> Now the REAL question is, how would I do this within scriptB?

Which language are you using to write your CGI?
Which web-server?

The scripting-language should be able to retrieve the "names",
i.e., 'nfile' and 'sGrp' and 'sParam1' and 'sParam2'
which were passed to scriptB,
and, at the same time, the corresponding value for each name.

> Within the scripting language that we use,
> I cannot obtain a simple string showing the arguments ...

Are you sure?  What's the "good" of such a scripting-language,
if it cannot "receive" the values passed to it?

> I think there is probably a way to do it
> that combines both client and server code.

Since your CGI defines the HTML which is sent to the web-browser,
the real "power" is in your CGI scripting language.

The web-browser "client" is rather "dumb";
all it can do is trigger your CGI script to be executed.

0
 
LVL 2

Author Comment

by:bernfarr
ID: 1828478
> Which language are you using to write your CGI?
> Which web-server?

The web server comes with our OS, which is VxWorks. The language is, sigh, a homegrown one. Perl was not an option when we started this project some years ago. I only added basic string handling routines to the scripting language in the last six months!

> The scripting-language should be able to retrieve the "names",
> i.e., 'nfile' and 'sGrp' and 'sParam1' and 'sParam2'
> which were passed to scriptB,
> and, at the same time, the corresponding value for each name.

Should is correct. I'm working on trying to add that to the server as I write to you.

> > Within the scripting language that we use,
> > I cannot obtain a simple string showing the arguments ...
> Are you sure?  What's the "good" of such a scripting-language,
> if it cannot "receive" the values passed to it?

Yep, I'm sure. And we have other issues with the language, hence we are looking at migrating to something else (I'm not holding my breath). The CGI script does receive the values, but as predefined variables with assigned values. Without already knowing the name of a variable, there is (currently) no way of manipulating it within the language.

> Since your CGI defines the HTML which is sent to the web-browser,
> the real "power" is in your CGI scripting language.
> The web-browser "client" is rather "dumb";
> all it can do is trigger your CGI script to be executed.

I'll partially agree with you on that. Though with JavaScript and Java, there is a lot of power that can be added to the browser.

I still think (and this may be a failure of our server) that it ought to be possible to some thing like:
  sParam="sPar1=fred&sPar2=Mary&sPar3=%22String Here%22"
 
and have the server 'see' a single parameter, sParam, with a value of:
  sPar1=fred&sPar2=Mary&sPar3=%22String Here%22"

Before fixing our server, I'd like some validation from others about how other servers handle it.

0
 
LVL 12

Expert Comment

by:Otta
ID: 1828479
> I still think that it ought to be possible to [code]
> something like:
>    sParam="sPar1=fred&sPar2=Mary&sPar3=%22String Here%22"
> and have the server 'see' a single parameter,
> sParam, with a value of:
>    sPar1=fred&sPar2=Mary&sPar3=%22String Here%22"  

Use:

  sParam="sPar1=fred%26sPar2=Mary%26sPar3=%22String Here%22"

since %26 is a representation of the '&' character.
0
 
LVL 2

Author Comment

by:bernfarr
ID: 1828480
I've already tried that, I now think the problem is in how our server interprets the query arguments.

Has anyone a pointer to a location on the web for CGI argument 'standards'?
0
 
LVL 12

Expert Comment

by:Otta
ID: 1828481
Check: "The WWW Security FAQ: CGI Scripts" at:
http://cgi.usma.edu/mirror/WWW/www-security-faq/wwwsf4.html

for some good advice.


0
 
LVL 11

Accepted Solution

by:
mouatts earned 180 total points
ID: 1828482
Try this for starters. It is the same as ozos answer but with the colons encoded (these shouldn't appear within a URL except as a port or protocol seperator.

<A
      HREF="/cgi/cgiproc?sReqParam=sLogin%3dConfigure%26sDN%3dDu%3dEmployee,%2bou%3dQA,%2bo%3dMy%2bCorp,%2bc%3dUS%3a%3a4"
       target="_self">Other</A>


If that doesn't work the the percent signs need to be encoded so that on the first parse by the server the = etc are not decoded. This would make your anchor look like this.
<A
HREF="/cgi/cgiproc?sReqParam=sLogin%253dConfigure%2526sDN%253dDu%253dEmployee,%252bou%253dQA,%252bo%253dMy%252bCorp,%225bc%253dUS%253a%253a4"
       target="_self">Other</A>


Steve
0
 
LVL 2

Author Comment

by:bernfarr
ID: 1828483
Steve

Wonderful. It works. And it's obvious once you point it out. Now all I have to do is add code in the server to construct the mess. The reason for all the enclosed equals is because we're using LDAP strings in our database. The :: is an optimization extension of ours.

Thanks for all the suggestions, and the working solution.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

This article is meant to give a basic understanding of how to use R Sweave as a way to merge LaTeX and R code seamlessly into one presentable document.
This article will show, step by step, how to integrate R code into a R Sweave document
The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)
In this fourth video of the Xpdf series, we discuss and demonstrate the PDFinfo utility, which retrieves the contents of a PDF's Info Dictionary, as well as some other information, including the page count. We show how to isolate the page count in a…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now