Icon View Thread

The following is the text of the current message along with any replies.
Messages 1 to 10 of 13 total
Thread TPage POST
Tue, Mar 18 2014 12:22 PMPermanent Link

Matthew Jones

Hmm, I appear to be down a rabbit hole...

I have a form for a web shop, and I would like to do the "3D-Secure" conformation
in a TPage so that the user doesn't have to go anywhere. It seemed all quite
sensible, until I realised that I have to POST the data to the web page, and the
TPage.URL only sets the href and thus does a GET.

Anyone know how to hack this to allow me to POST?

/Matthew Jones/
Wed, Mar 19 2014 11:46 AMPermanent Link

Tim Young [Elevate Software]

Elevate Software, Inc.

Avatar

Email timyoung@elevatesoft.com

Matthew,

<< I have a form for a web shop, and I would like to do the "3D-Secure"
conformation in a TPage so that the user doesn't have to go anywhere. It
seemed all quite sensible, until I realised that I have to POST the data to
the web page, and the TPage.URL only sets the href and thus does a GET.

Anyone know how to hack this to allow me to POST?  >>

AFAIK, the only way to do a POST in a TPage (iframe) is if the user
initiates it.

Tim Young
Elevate Software
www.elevatesoft.com
Wed, Mar 19 2014 12:23 PMPermanent Link

Matthew Jones

> AFAIK, the only way to do a POST in a TPage (iframe) is if the user
> initiates it.

Hmm, that's interesting. I've got myself to the point where I need to solve this,
but it must be doable somehow because the normal "Verified by Visa" type stuff
works in everyone else's shopping carts without me doing anything. It may be that
it needs some javascript to kick it off, in which case I'll have to load it from
the server with a custom page or something. I will study how the VbV is normally
done, then come back with info and experimentations.

/Matthew Jones/
Wed, Mar 19 2014 1:31 PMPermanent Link

Matthew Jones

First investigations:

http://stackoverflow.com/questions/168455/how-do-you-post-to-an-iframe

This suggests that I need to POST using a FORM. I can set the target to the output
frame. Not yet sure how to post yet, but it seems that TPanels are <form>s so that
is promising. Okay, reading the EWB source code (so good to have that - worth lots)
I can see that a TPanel is an excellent target for hacking.

Okay, so far I can get it to POST the form, but not the inputs.

procedure TCustomPanel.FormHackPost(szURL : String; xParams : TStringList; szTarget
: String); // MJ
var
   xInput : THTMLInputElement;
   nLoop : Integer;
begin
   FForm.target := szTarget;
   FForm.action := szURL;
   
   for nLoop := 0 to xParams.Count - 1 do
   begin
      xInput := THTMLInputElement(CreateHTMLElement('input'));
     xInput.type := 'text';
      xInput.name := xParams.Names[nLoop];
      xInput.value := xParams.ValueFromIndex[nLoop];
      AddHTMLElement(FForm, xInput);
   end;
   FForm.submit;
end;

This is sort of working, in that the DOM now looks like: (with the styles cut for
clarity)

<form class="pnl_back" enctype="multipart/form-data" method="post"
target="frmShop_page3DSecure" id="pnlHack" action="https://example.com" >
<input type="text" name="PaReq">
<input type="text" name="MD">
<input type="text" name="TermUrl">
</form>

The interesting thing is that the inputs are not "closed" in the HTML, and they
have no values. The StackOverflow example I found has:
<input type="text" name="someText" value="Some Text" />
which implies I've not got that part of the code right. But it is POSTing to the
proper destination, and appearing in the TPage iframe, so that is good. The page
now shows a server generated error saying it can't find the PaReq value, which is
true.

More as and when I can get to it, which maybe tomorrow.

/Matthew Jones/
Wed, Mar 19 2014 1:48 PMPermanent Link

Matthew Jones

Update: The values are visible on the TPanel, and I think are basically okay.
Chrome's network debug panel shows the data is sent just fine. I think I'm just
sending it wrong.

And indeed I am!

The data for 3DSecure needs to be sent as params in the URL, not as <input> data.
Thus

pnlHack.FormHackPost(sz3DURL + '?' + szEncodedData, xParams,
'frmShop_page3DSecure');

works fine. I've obviously done a load more work for the inputs than I needed to,
but it is left for others to play with.

It would be nice to have an official mechanism for this to be done. Ideally passing
in a TPage to have as the destination. Happy to wait for v2 to be out before that's
looked at though. This is a key requirement for the 3D secure web payment stuff, so
needs to be possible, preferably without my hacking it.

/Matthew Jones/
Wed, Mar 19 2014 1:57 PMPermanent Link

Matthew Jones

Oh so triumphant! Unfortunately, when I click on the Submit button, it isn't
submitting now I've set it to the right destination. Hmm, seems like that is an
http in an https page problem, as if I set it to an https then it works. Not an
issue - that lets me move onto my next step!

What I like about this is that I will be able to post details of the application at
some point. I'll have to work out how to give a proper demo account as I am not
allowed to give the test card details out.

/Matthew Jones/
Thu, Mar 20 2014 4:46 AMPermanent Link

Matthew Jones

I should point out, for anyone who follows the path of my Hack function, that the
inputs are not removed, and thus the next call adds another set with the same names.
That probably isn't what you want! Fix is left as an exercise for the reader. 8-)

/Matthew Jones/
Tue, Mar 25 2014 11:38 AMPermanent Link

Tim Young [Elevate Software]

Elevate Software, Inc.

Avatar

Email timyoung@elevatesoft.com

Matthew,

<< First investigations:

http://stackoverflow.com/questions/168455/how-do-you-post-to-an-iframe >>

That's not what you asked, or at least not what I thought you were asking.
You asked how to execute a POST *in* an iframe, not how to redirect the
output from a POST *to* an iframe.  The form submittal example that comes
with EWB shows you how to redirect a POST to a TPage: you set the
FormOutputPage property of the panel/form executing the Submit.

Tim Young
Elevate Software
www.elevatesoft.com
Tue, Mar 25 2014 12:41 PMPermanent Link

Matthew Jones

> That's not what you asked, or at least not what I thought you were
> asking.

You say potato... 8-)

I'll look up the proper option now. I think the confusion is my lack of knowledge
of how these things /can/ work and therefore what terms to ask for.

/Matthew Jones/
Tue, Mar 25 2014 1:00 PMPermanent Link

Matthew Jones

> FormOutputPage

       pnlHack.FormURL := sz3DURL + '?' + szEncodedData;
       pnlHack.SubmitForm;

Indeed, this all works nicely. People can happily ignore my hack, it is already
covered. Superb.        

/Matthew Jones/
Page 1 of 2Next Page »
Jump to Page:  1 2
Image