Re: [Zope] sending form data offsite
urlencode takes a dictionary of params/values like this: { 'param1' : 'value1', 'param2' : 'value2' } It cleans up spaces. I am using it for credit card processing and that includes spaces in addresses, names and the like. On Tue, 2003-03-11 at 01:46, Ed Colmar wrote:
Thanks!
urlencode does the cleaning up of spaces and illegal characters? What format does it expect? Just a string?
Cheers!
-ed-
On 6 Mar 2003, Edward Muller wrote:
I use something like the following to do the exact a same thing...
import string, urllib from M2Crypto import m2urllib encodedParams = urllib.urlencode(params) url = m2urllib.FancyURLopener() u =url.open('https://secure.post/location',encodedParams) data = u.read()
In an external method ... I use m2crypto because of good SSL support ... You could probably use the regular httplib if you don't need SSL support.
On Wed, 2003-03-05 at 19:12, Ed Colmar wrote:
Hi fellow zope hackers!
I'm building a site for someone who wants to have the entire site within zope, to connect to dbs, etc... But they use a service that requires them to post form data to a master server.
Is there an easy way (in dtml or python) to do this without seeing the data transfer or ending up at th other server's pages?
So far I've considered making an external method that uses lynx and dumps the return data. Is this the best way?
Thanks for the help!
-ed-
-- Edward Muller
Interlix - President Web Hosting - PC Service & Support Custom Programming - Network Service & Support Phone: 417-862-0573 Cell: 417-844-2435 Fax: 417-862-0572 http://www.interlix.com
Hey again So I'm close to a solution here... Thanks for the help everybody! How did you get the initial form data into your params variable? I see that I can use the urllib.quote() method as well for individual values... -ed- On 10 Mar 2003, Edward Muller wrote:
urlencode takes a dictionary of params/values like this:
{ 'param1' : 'value1', 'param2' : 'value2' }
It cleans up spaces. I am using it for credit card processing and that includes spaces in addresses, names and the like.
On Tue, 2003-03-11 at 01:46, Ed Colmar wrote:
Thanks!
urlencode does the cleaning up of spaces and illegal characters? What format does it expect? Just a string?
Cheers!
-ed-
On 6 Mar 2003, Edward Muller wrote:
I use something like the following to do the exact a same thing...
import string, urllib from M2Crypto import m2urllib encodedParams = urllib.urlencode(params) url = m2urllib.FancyURLopener() u =url.open('https://secure.post/location',encodedParams) data = u.read()
In an external method ... I use m2crypto because of good SSL support ... You could probably use the regular httplib if you don't need SSL support.
On Wed, 2003-03-05 at 19:12, Ed Colmar wrote:
Hi fellow zope hackers!
I'm building a site for someone who wants to have the entire site within zope, to connect to dbs, etc... But they use a service that requires them to post form data to a master server.
Is there an easy way (in dtml or python) to do this without seeing the data transfer or ending up at th other server's pages?
So far I've considered making an external method that uses lynx and dumps the return data. Is this the best way?
Thanks for the help!
-ed-
-- Green Graphics ::: Print and Web Design ::: 510.923.0000
For me the params were passed into the external method like so... def do_the_thing(params): ..... This was called from a python script like so ... context.do_the_thing( { 'param1' : 'value1', 'param2' : 'value2' }) The original value came from a REQUEST object.... I'd actually like to turn this into a mini product at some point :-). On Tue, 2003-03-11 at 02:20, Ed Colmar wrote:
Hey again
So I'm close to a solution here... Thanks for the help everybody!
How did you get the initial form data into your params variable? I see that I can use the urllib.quote() method as well for individual values...
-ed-
On 10 Mar 2003, Edward Muller wrote:
urlencode takes a dictionary of params/values like this:
{ 'param1' : 'value1', 'param2' : 'value2' }
It cleans up spaces. I am using it for credit card processing and that includes spaces in addresses, names and the like.
On Tue, 2003-03-11 at 01:46, Ed Colmar wrote:
Thanks!
urlencode does the cleaning up of spaces and illegal characters? What format does it expect? Just a string?
Cheers!
-ed-
On 6 Mar 2003, Edward Muller wrote:
I use something like the following to do the exact a same thing...
import string, urllib from M2Crypto import m2urllib encodedParams = urllib.urlencode(params) url = m2urllib.FancyURLopener() u =url.open('https://secure.post/location',encodedParams) data = u.read()
In an external method ... I use m2crypto because of good SSL support ... You could probably use the regular httplib if you don't need SSL support.
On Wed, 2003-03-05 at 19:12, Ed Colmar wrote:
Hi fellow zope hackers!
I'm building a site for someone who wants to have the entire site within zope, to connect to dbs, etc... But they use a service that requires them to post form data to a master server.
Is there an easy way (in dtml or python) to do this without seeing the data transfer or ending up at th other server's pages?
So far I've considered making an external method that uses lynx and dumps the return data. Is this the best way?
Thanks for the help!
-ed-
-- Edward Muller
Interlix - President Web Hosting - PC Service & Support Custom Programming - Network Service & Support Phone: 417-862-0573 Cell: 417-844-2435 Fax: 417-862-0572 http://www.interlix.com
Thanks again for all the tips! Heres what I ended up with for anyone else trying to do the same thing: -------------- I made an external method: def formsender(self, url, params): """ This method is used to transparently send form data to an external server """ import urllib encodedParams = urllib.urlencode(params) print url print encodedParams try: result = urllib.FancyURLopener().open(url, encodedParams) urllib.FancyURLopener().close() return result.read() except: return 0 --------------- Then in dtml I placed this code on the page that the form points to: <dtml-call "REQUEST.set('params', REQUEST.form)"> <dtml-call "REQUEST.set('url','http://www.whateversite.com/cgi?')"> <dtml-var "formsender(url, params)"> --------------- -ed- -- Green Graphics ::: Print and Web Design ::: 510.923.0000
Ed Colmar wrote:
Thanks again for all the tips!
Heres what I ended up with for anyone else trying to do the same thing:
--------------
I made an external method:
def formsender(self, url, params): """ This method is used to transparently send form data to an external server """ import urllib encodedParams = urllib.urlencode(params) print url print encodedParams try: result = urllib.FancyURLopener().open(url, encodedParams) urllib.FancyURLopener().close() return result.read() except: return 0
---------------
Then in dtml I placed this code on the page that the form points to:
<dtml-call "REQUEST.set('params', REQUEST.form)"> <dtml-call "REQUEST.set('url','http://www.whateversite.com/cgi?')"> <dtml-var "formsender(url, params)">
I'm a bit late to the game here, but haven't you just constructed a nice anonymizing http attacking engine? As I see it, formsender could be called through the web, so http://yourserver/wherever/formsender?url=www.victimdomain.tld¶ms=bad_at... would be possible, right? cheers, oliver
Not really, no. It would be possible to attack that exact page/method anonymously, but Since the URL is hard coded in, it is not possible to direct it to another server... Interesting idea though. Maybe I will incorperate this in to my product designed to do http anonymizing. Thanks for the note! -ed- On Tue, 18 Mar 2003, Oliver Bleutgen wrote:
Ed Colmar wrote:
Thanks again for all the tips!
Heres what I ended up with for anyone else trying to do the same thing:
--------------
I made an external method:
def formsender(self, url, params): """ This method is used to transparently send form data to an external server """ import urllib encodedParams = urllib.urlencode(params) print url print encodedParams try: result = urllib.FancyURLopener().open(url, encodedParams) urllib.FancyURLopener().close() return result.read() except: return 0
---------------
Then in dtml I placed this code on the page that the form points to:
<dtml-call "REQUEST.set('params', REQUEST.form)"> <dtml-call "REQUEST.set('url','http://www.whateversite.com/cgi?')"> <dtml-var "formsender(url, params)">
I'm a bit late to the game here, but haven't you just constructed a nice anonymizing http attacking engine? As I see it, formsender could be called through the web, so
http://yourserver/wherever/formsender?url=www.victimdomain.tld¶ms=bad_at...
would be possible, right?
cheers, oliver
-- Green Graphics ::: Print and Web Design ::: 510.923.0000
Oops... My mistake. You are right. I thought you were referring to the dtml method not the external method. I'll hard code the url into the external method to secure it Thanks! -ed- On Wed, 19 Mar 2003, Ed Colmar wrote:
Not really, no.
It would be possible to attack that exact page/method anonymously, but Since the URL is hard coded in, it is not possible to direct it to another server... Interesting idea though. Maybe I will incorperate this in to my product designed to do http anonymizing.
Thanks for the note!
-ed-
On Tue, 18 Mar 2003, Oliver Bleutgen wrote:
Ed Colmar wrote:
Thanks again for all the tips!
Heres what I ended up with for anyone else trying to do the same thing:
--------------
I made an external method:
def formsender(self, url, params): """ This method is used to transparently send form data to an external server """ import urllib encodedParams = urllib.urlencode(params) print url print encodedParams try: result = urllib.FancyURLopener().open(url, encodedParams) urllib.FancyURLopener().close() return result.read() except: return 0
---------------
Then in dtml I placed this code on the page that the form points to:
<dtml-call "REQUEST.set('params', REQUEST.form)"> <dtml-call "REQUEST.set('url','http://www.whateversite.com/cgi?')"> <dtml-var "formsender(url, params)">
I'm a bit late to the game here, but haven't you just constructed a nice anonymizing http attacking engine? As I see it, formsender could be called through the web, so
http://yourserver/wherever/formsender?url=www.victimdomain.tld¶ms=bad_at...
would be possible, right?
cheers, oliver
-- Green Graphics ::: Print and Web Design ::: 510.923.0000
participants (3)
-
Ed Colmar -
Edward Muller -
Oliver Bleutgen