Search code examples
pythonhtmlposthidden-field

Python Requests - Hidden input required to POST?


Suppose I have a form like the following with some hidden input:

<form id="myForm" method="post" action="http://www.X.Y/index.php?page=login>

   <input type="hidden" name="Hidden1" value="" />
   <input type="hidden" name="Hidden2" value="abcdef" />
   <input type="hidden" name="Hidden3" value="1234" />
   <input type="text"   name="firstTextBox"  value=""/>
   <input type="button" name="clickButton" value="OK"/>
</form>

I would run a python POST request via:

import requests
s = requests.Session()

postRequest = {'Hidden1': '',
               'Hidden2': 'abcdef',
               'Hidden3': '', 
               'firstTextBox': 'Typed in first text box',
               'clickButton': 'OK'
             }

s.auth = HttpNtlmAuth(username, password)
s.post(url, data=manufacturingRequest)

My question is, did I HAVE to include the hidden inputs in the postRequest dictionary? Can you submit a POST request if you omit elements with a type attribute value of "hidden"?

What's the purpose of websites even having hidden inputs if their values are set to EMPTY string, such as the Hidden1 element in the myForm example above.

EDIT - Second Half

After doing a bit of research, I noticed that some hidden elements had different values each time I visited the page

i.e.

<input type="hidden" name="__REQUESTDIGEST" id="__REQUESTDIGEST" value="0xEB8842A77FE88CA990D2EA0D4BAA0392C13FCEF3DCF3250EBF575B90C03BFBC9AD4D61180DA81DF7B09144BBB04BBFF1565C2ADEE650CCC3D81B149034E711A4,18 Sep 2013 19:48:18 -0000" />

has a time stamp

as well as

<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="SOME+VERY+LONG+RSA+STRING">

which had some RSA-like string as its value

Turns out the site gives me a 200 error code if I try to submit a POST with different values than these. Are these extra security measures for the website?

..and IF SO, how can I programmatically send POST requests, accounting for the changing element values?


Solution

  • did I HAVE to include the hidden inputs in the postRequest dictionary?

    No, you do not have to include the hidden inputs. There is no law, treaty, or standard that requires you to include any particular input elements.

    On the other hand, if you fail to include them, then you are doing something different than a browser would do, and the website might take notice of that.

    Can you submit a POST request if you omit elements with a type attribute value of "hidden"?

    Yes, you can. You can also omit elements with a type of text or button. How the website responds is entirely up to it.

    What's the purpose of websites even having hidden inputs if their values are set to EMPTY string,

    The purposes of the website developer is really up to them. You might ask the developers of the website that you are trying to submit to.

    One possible purpose is to identify which form is doing the submission.


    Are these extra security measures for the website?

    Again, ask the owners of the website. It might be security, it might be session management, or it might carry your preferences.

    ..and IF SO, how can I programmatically send POST requests, accounting for the changing element values?

    Fetch the page that contains the form, parse that page, and submit the form with the indicated form variables.