in reply to CGI Refresh question

Hidden elements are pretty easy, and you're using CGI.pm, so getting at them is really easy. Of course, if you know how to make them, spoofing them is also easy, so be aware that this isn't sufficient security unless your users are completely ignorant of View Source. 
# the HTML for making a hidden field
# <input type="hidden" name="submitted" value="1">

if (! defined param('submitted') ) {
    # display a button
} else {
    # don't display the button
}

[download]
To get around the refreshing bit is more difficult. Perhaps the default behavior would be *not* to increment the counter.

(Counters are inaccurate anyway, due to proxies, refreshes, and other things. I think you just picked it as an easy example, though.)

Replies are listed 'Best First'.
RE: Re: CGI Refresh question
by Adam (Vicar) on Jul 25, 2000 at 04:17 UTC
    Thank you chromatic, but as I said in my post, my sample code is a simplistic demo of a much more complicated script. Counting had nothing to do with it, it was just a way to make it simple. As for the insecurity of the hidden tag, I'm not using it for security, I just use it track which app this button talks to. In other words, imagine I was writting the script for n counters, and you could reset the one of your choice. I am using hidden data for that. 
    for( 1..5 )
{
  print start_form(),
        hidden( -name=>"cntrnum", -value=>$_ ),
        submit( -name=>"action", -value=>"Reset Counter" ),
        end_form(), "\n\n";
}

    [download]
    The real heart of the question is how to keep the user from accidentally reseting the counter by refreshing. (And again, counters are just an easy substitute for a bigger task).

    And yes, I suspect that the users are ignorant of "View Source" which is why I'm so worried that they will refresh themselves into a bad spot. Y'see?

    Thanks again!

[reply]
[d/l]

In Section Seekers of Perl Wisdom