0

In short:

<form method="post" action="">
    <textarea name="foo">bar</textarea>
</form>

I want to POST value of foo as base64 encoded (without using ajax to save time).

In detail:

  • I have a interface where people can fire SQL SELECT queries to get the simple reports.
  • Network(Company firewall) filters the POST request considering it as SQL Injection.
  • One solution I can think of is to encode the data and then make the POST request. Then decode on server side.
  • Any way to not use ajax solution? That will help me avoid the refactoring of the code.
Jigar
  • 3,256
  • 1
  • 30
  • 51
  • 4
    1. How can the firewall treat all POST as SQL injection, it makes no sense and makes internet unusable. 2. You need to use HTTPS! – Dharman Jan 25 '19 at 11:46
  • 2
    What's your _actual_ question? This reads like a train of thought. What does SQL have to do with this? What does AJAX have to do with it? You want to POST a base64 value? What's stopping you? – Jonnix Jan 25 '19 at 11:46
  • 1
    It's not possible without JS. Use HTTPS, the firewall won't manage to spy on the request. – Mike Doe Jan 25 '19 at 11:47
  • 1
    @emix unless they use a custom certificate to MITM all the connections Many enterprises do that. – Federico klez Culloca Jan 25 '19 at 11:50
  • @Dharman not all but randomly some queries are filtered. May be some pattern in query that gets matched. – Jigar Jan 25 '19 at 12:02
  • Legacy Code. It's an internal application. Still not using https. Have planned to shift to https. – Jigar Jan 25 '19 at 12:02

2 Answers2

3

You can convert the text value to Base64 string before submit the form without using Ajax using window.btoa

var str = document.getElementById("foo").value;
var enc = window.btoa(str);

The btoa() method encodes a string in base-64.
This method uses the "A-Z", "a-z", "0-9", "+", "/" and "=" characters to encode the string.

For more information related to the btoa : https://developer.mozilla.org/en-US/docs/Web/API/WindowOrWorkerGlobalScope/btoa

Googlian
  • 6,077
  • 3
  • 38
  • 44
1

You don't need to use Ajax, You can use form's onsubmit event to write a javascript handler, that encodes the data to hidden input, which gets sent along with the form (note that the original textarea has no name, so it won't be sent in POST).

function encodeSql() {

    var e = document.getElementById('sql');
    var t = document.getElementById('sql_base64');
    t.value = encodeToBase64Somehow(e.value);
    return true;
}

<form ... onsubmit="return encodeSql()">
    <textarea id="sql">...</textarea>
    <input type="hidden" name="sql_base64" id="sql_base64" />
</form>
Roman Hocke
  • 4,137
  • 1
  • 20
  • 34