No parameters in URL

[FEMA]

This is the first time I have ever posted anything to a forum, so if I have made a mistake, please let me know.

I took over the maintenance of an existing Intranet site for the government and am running into an issue with the pages involved with displaying a student's transcript.

There is a form that allows users to input information about the person they wish to find and then sends the info. to another page that searches two databases (FoxPro and SQL Server), finds any matching records, and displays the person's name, and their city and state. Their name is used as a hyperlink to a third page that will display their transcript, based on the only unique data available, their Social Security Number (SSN).

The problem is that by using the hyperlink and passing the SSN, the SSN shows up as part of the URL
(as in details.asp?KeyID="SSN&quot. The customer is concerned with privacy issues, so I am looking for a way to either eliminate the SSN from the URL or find an alternative to the hyperlink.

I have tried making the table part of a form and then using the onclick event for the hyperlink to run a javascript that submits the form, but the SSN value is not available on the next page. I have tried passing the SSN as a session variable, but still got the same results.

Any help would be greatly appreciated.

 

[herb8]

Use the Request off the form rather than using request.querystring action to pass the ssn. By in the main page put inside the form a textbox named SSN. Then when the action happens it will transfer it to the next page.
On the next page put in
<%
Dim var1

var1 = Request(&quot;SSN&quot

%>

Now you can manipulate this variable in any way and it is not passed through the url.

 

[Ekliptic]

herb8,

I've tried passing a variable as you described above but when I go to add the variable to my database it says the variable is null. For some reason it's not being passed. Any ideas?

 

[Bastien]

Hi,

If you look at the code for the <form> tag, is the method =&quot;Get&quot;, if so shange it to post and that will stop the URL from showing the SSN. Change the responding page should have the code for the Request.FORM where it currently has Request.QUERYSTRING and that should take care of the
problem.

hth Bastien

There are many ways to skin this cat,
but it still tastes like chicken

 

[ToddWW]

Well FEMA, one thing you should definitely be aware of is that no matter what solution you come up with, View / Source will display all of the SSN# on that page. However, I'm not suggesting that you redesign the database and I believe that we can easily get the SSN# out of the URL. I just want you to be aware that with the current database design, using the SSN as the only unique identifier, it will be impossible for you to completely hide those numbers from prying eyes.

So far, you're half way home in that you want to enclose all of the links between form tags. As mentioned in a previous reply you want your opening form tag to have the method=&quot;post&quot; parameter in it and you want to set the action=&quot;somepage.asp&quot; to direct to the page that the HREF's are currently navigating to.

Now, currently your links probably look like this.

<a href=&quot;somepage.asp?ID=123456789&quot;>Some Person</a>


What you want to do is change your links to look like this.

<a href=&quot;javascriptostForm('123456789');&quot;>Some Person</a>


Next, you'll need to place one hidden field inside the form with an empty value. Something like this... If you give this the same name as the Key in the current key/value pair of the URL. Then all you'll have to do on the receiving page is change the method from Request.QueryString to Request.Form.

<input type=&quot;hidden&quot; name=&quot;ID&quot; value=&quot;&quot;>


Finally, you'll need to write a small javascript function that will obtain the SSN when the HREF calls the function, use it to populate the hidden field, the post the form to the next page.

Now, does this completely hide the SSN ?? No. It does get it off the URL however. But the visitor can see the SSN in the status bar at the bottom of the browser window when they move their mouse over the link. However, this will be the easiest way to make a change for the better without extensive re-design since you're currently using HREF's now. Later I'll post another solution that you can try that will completely hide the SSN# from plain view. (Remember, you can't completely hide it from View Source. The only way you're going to be able to accomplish this would be to redesign the database and assign random ID's to each person)

Here's a small script that you can load on your server as is and see how it works. Notice how I've made a slight change to the HREF. I'm passing an ID to the JavaScript function that populates a hidden field and submits the form to itself. The page will display the result using the Request.Form(&quot;ID&quot method. I put the ID in plain text next to the persons name so you can see the results match up with the person you clicked. Of course, I'm not suggesting you do the same or that this is required to make this function work correctly.


<%@ Language=VBScript %>
<% Option Explicit %>
<%=Request.Form(&quot;ID&quot & &quot;<br><br>&quot;%>

<html>
<head>
<script Language=&quot;JavaScript&quot;>
<!--
function postForm(id) {
document.myform.ID.value = id
document.myform.submit()
}
//-->
</script>
</head>
<body>
<form name=&quot;myform&quot; method=&quot;post&quot;>
<a href=&quot;javascriptostForm('144')&quot;>Tom Smith - 144</a><br><br>
<a href=&quot;javascriptostForm('239')&quot;>John Perry - 239</a><br><br>
<a href=&quot;javascriptostForm('348')&quot;>Jack Paul - 348</a><br><br>
<input type=&quot;hidden&quot; name=&quot;ID&quot; value=&quot;&quot;>
</form>
</body>
</html>


I'm hoping you can learn enough from this. Remember, look towards the bottom of your browser window while moving your mouse over the link. It's important that you understand that.

Hope this helps.

ToddWW

 

[ToddWW]

OK, me again. I'm back with another solution that will completely hide the SSN# from plain view. Here I have placed a radio control next to each name. I like to use these for purposes like this because it is the smallest element in JavaScript that can fire a function on a mouse click. You can use checkboxes also so if that pleases you, just change the type from radio to checkbox the functions will work the same.

I won't beat the dead horse again, so here's the page. It's race ready so you can just load it on your server and run it to see it in action.


<%@ Language=VBScript %>
<% Option Explicit %>
<%=Request.Form(&quot;ID&quot & &quot;<br><br>&quot;%>

<html>
<head>
<script Language=&quot;JavaScript&quot;>
<!--
function postForm(form_ref) {
form_ref.submit()
}
//-->
</script>
</head>
<body>
<form name=&quot;myform&quot; method=&quot;post&quot;>
<input onClick=&quot;postForm(this.form);&quot; type=&quot;radio&quot; name=&quot;ID&quot; value=&quot;144&quot;>  Tom Smith - 144<br><br>
<input onClick=&quot;postForm(this.form);&quot; type=&quot;radio&quot; name=&quot;ID&quot; value=&quot;239&quot;>  John Perry - 239<br><br>
<input onClick=&quot;postForm(this.form);&quot; type=&quot;radio&quot; name=&quot;ID&quot; value=&quot;348&quot;>  Jack Paul - 348<br><br>
</form>
</body>
</html>


There are other ways to pass a single reference from a multitude of options in a hidden form collection. A select list would work, although hurts my eyes to scroll through it extensively.

Let me know if any of these are helping ..

ToddWW

 

[FEMA]

ToddWW - I just got back into the office today and will try your suggestions as soon as I am able.

I'll let you know how I make out.

 

[FEMA]

ToddWW - I implemented your suggestions using the href to call the javascript function and they worked! Thanks so much. I also found that information can be eliminated from the status bar by adding the onMouseOver member.

Also, I did find an encrypt function that allowed me to encrypt the information shown in View Source. It can be found here:

http://www.aspemporium.com/aspEmporium/codelib/codelib.asp?pid=70&cid=15

There is a corresponding decrypt function as well.

Again, thanks for your help! You saved me lots of research!