Software, your way.
How To Get Good Custom Software
(Download)
(PDF)
burger menu icon
WillMaster

WillMaster > LibrarySecurity and Blocking

FREE! Coding tips, tricks, and treasures.

Possibilities weekly ezine

Get the weekly email website developers read:

 

Your email address

name@example.com
YES! Send Possibilities every week!

Posting Links

Generally, an a tag web page link requests a page. Getting a page by requesting it is called method GET. On the other hand, obtaining a page by submitting content to it is called method POST.

Both GET request and POST submit generally may load the same page. (Some pages may not accept one or the other, but for the purpose of this article, we'll assume pages can accept both GET requests and POST submissions.)

With basic HTML, an a tag link requests a page method GET. When a web page form is submitted, it is generally method POST.

This article describes how to submit method POST rather than request method GET when a link is clicked.

There are reasons to do that. I'll list some further below. One or more of them, or a reason I haven't thought of, may be a valid reason for you.

How the posting link works: The a tag link URL runs a JavaScript function. The JavaScript function submits an invisible form that was created for this particular posting link. The invisible form contains the destination URL and hidden fields to be sent method POST.

Reasons for Using a Posting Link

Transmission security: First of all, use an SSL (https://...) connection.

Even with an SSL connection, the destination URL is plain text, including any GET URL parameter information. For confidential parameter information, make it a posting link. Because the confidential information is now in the body of the submission instead of plain text in the URL, it is encrypied.

Server log security: Destination URLs are recorded in server logs. Generally server logs are not encrypted.

Server logs contain GET URL parameter information. But they do not contain POST submitted information.

Secrecy: When the information that would be parameter information of a GET link needs to be obfuscated or removed from the browser's address bar, consider a posting link.

Link URL cloaking: When it is desired that a link be cloaked so spiders and bots don't follow it, or for other reasons, using a posting link can be considered. Some bots will not follow a tag links that launch a Javascript function.

Implementation

Implementation is in three parts.

  1. The link that the site user will tap or click on.

  2. The JavaScript function that will submit an invisible form.

  3. The form with information to be submitted.

The link —

The link href value is javascript:PostItNow(), which runs the JavaScript function PostItNow() whenever the link it tapped. (The source code of PostItNow() is further below). Here is an example link: 

<a href="javascript:PostItNow()">
Link text
</a>

The JavaScript function PostItNow()

Here's the source code for the PostItNow() function. 

<script>
function PostItNow()
{
   document.getElementById("form-for-posting").submit();
}
</script>

The form-for-posting id value is the same id value as the form tag's id value. The source code for an example invisible form is provided next.

The JavaScript can be anywhere on the page. Immediately above the cancel </body> tag is okay.

The invisible form —

The link action value for the invisible form's form tag is the URL of the browser's destination page, the page the browser shall go to.

The form contains hidden fields with the values to be submitted method POST to the URL in the action value. There are no submit buttons or visible fields. The form isn't visible on the page at all.

Here is the source code of a form with values in hidden fields. In your implementation, omit the ones you don't need. Add additional hidden fields as appropriate. 

<form id="form-for-posting" action="https://www.willmaster.com/possibilities/demo/POSTdump.php" method="post" enctype="application/x-www-form-urlencoded" style="display:inline; margin:0;">
<input type="hidden" name="secret"   value="keeping it off the URL">
<input type="hidden" name="self_URI" value="<?php echo(htmlspecialchars($_SERVER['PHP_SELF'])) ?>">
</form>

Two customizations:

  1. The form-for-posting id value of the form needs to be the same as the form-for-posting id value in the JavaScript function PostItNow().

  2. Change the https://www.willmaster.com/possibilities/demo/POSTdump.php action attribute value to the URL of the web page the browser is to load.

  3. Use only the hidden fields with information that the destination needs. What that would be depends on the destination. Maybe it's a form handler. Maybe an affiliate landing page. Perhaps some other type of page.

    Add hidden fields for additional information that may be required and omit unneeded hidden fields.

The form isn't required to have hidden fields. If no information is to be posted, include no hidden fields.

An Example

This example uses the above code as it is presented:

Link text

Testing

Clicking on the link should submit the information in the form's hidden fields as method POST and take the browser to the page where the information is submitted to.

Posting links send information sent to the destination page in a more secure manner than GET links. With a posting link, the information that would be in GET links is kept out of server access logs. Using method POST satisfies both of those requirements and has other advantages as stated above.

(This article first appeared in Possibilities newsletter.)

Will Bontrager

Was this article helpful to you?
(anonymous form)

Support This Website

Some of our support is from people like you who see the value of all that's offered for FREE at this website.

"Yes, let me contribute."

Amount (USD):

Tap to Choose
Contribution
Method

All information in WillMaster Library articles is presented AS-IS.

We only suggest and recommend what we believe is of value. As remuneration for the time and research involved to provide quality links, we generally use affiliate links when we can. Whenever we link to something not our own, you should assume they are affiliate links or that we benefit in some way.

More "Security and Blocking" Articles

Search Files on the Server

Convert Text to JavaScript

Keeping Image Location Secret

Other Recent Articles from the Library

Capitalizing the First Letter of Words

Fixed-position Table Header

Simple Floating Menu

CSS Drop Shadows for Images

Ajax File Upload

How Can We Help You? balloons
How Can We Help You?
bullet Custom Programming
bullet Ready-Made Software
bullet Technical Support
bullet Possibilities Newsletter
bullet Website "How-To" Info
bullet Useful Information List

© 1998-2001 William and Mari Bontrager
© 2001-2011 Bontrager Connection, LLC
© 2011-2024 Will Bontrager Software LLC