MORE SCRIPTING HELP

Andrew J. Mutch amutch at tln.lib.mi.us
Mon Jul 27 14:12:26 EDT 1998


Hi again,
 
Well, thanks to Bob Pasicznyuk, I've licked the first part of my script
challenge.  Here's part two and I'm looking for help.  The CGI script that
Bob provided me calls a URL after verifying that a patron's ID is valid.
The URL I want to call accesses OCLC's FirstSearch Databases.  One method
I've come up with is to use javascript to submit the "autho" and
"password" when the page loads.  However, this is a security hole because
a patron could stop the page as it loads, view source, and see the autho
and password.  My question is: "Can the 'autho' and 'password' be appended
to the URL so that the entire URL could be hidden in the CGI script"?

URL=http://www.ref.oclc.org/FUNC/
LOGIN:next=html/fs_dbs.htm:sessionid=0:entityProductName=FirstSearch
autho=###-###-###  
password=ABCDE?FGH

Here's the method I'm currently using:

<body onLoad="document.oclc.submit()">

<FORM 
NAME="oclc" 
METHOD=POST 
ACTION=http://www.ref.oclc.org/FUNC/
LOGIN:next=html/fs_dbs.htm:sessionid=0:entityProductName=FirstSearch>

<INPUT SIZE=12 TYPE=HIDDEN NAME="autho" VALUE="###-###-###">
<INPUT SIZE=12 TYPE=HIDDEN NAME="password" VALUE="ABCDE?FGH">
</FORM>

BTW -- I realize that OCLC has a script that does this and I'm working on
that angle but I would prefer to do it in one script as opposed to two.  

Thanks!

Andrew Mutch
Northville District Library
Northville, MI



More information about the Web4lib mailing list