Cryptic subject I realise, but what I'm trying to achieve seems unorthodox at best.
Let me try explaining it in a simple way. And above all, no server side scripting allowed - the webserver has nothing installed that can do it.
So, I've got this page (let's call it "pageA") that has some content. I want to inject something invisible to it, that will post information a variable ("varA") from pageA to a remote URL (let's call it "pageB").
However, the tricky bit is that for pageB to accept the content that I ultimately want to post, I must first generate a variable ("varB") in pageB using a particular form, form1.Once this is done I can then call pageB again, but this time form2, and post the value of varB into it.
This will tell my remote pageB to store the value of varA associated with a dinamically created varB, used for reference.
Any ideas how to make it in a simple way?
In line with the comments below, I agree it would make it clearer to open up a bit more on what I'm trying to achieve.
I have a product in house that filters URLs. If a URL does not exist on the database, access to it is blocked.
I want to report this automatically to the manufacturer's website, rather than doing it manually, so they can add the URL to the database. They provide a facility on their website that allows you to do it manually, but that gets confusing to my non experienced IT users and puts some burden on us to do it ourselves. The manufactures does not yet have an automated facility to aid with this.
So I though about automating it myself.
By modifying my local block page, I could POST the URL to the manufacturer's website, saving me from doing the manual process.
Analysing the manufaturer's URL submission page, I've identified the following two FORMS.
The form "single_ check_form" allows you to check if a URL is categorised:
The result of the above form, populates the variable "sid" with what I believe to be a dynamically generated value, associated with "url", and is then used by the form "result" below:
This form would then submit the sid for categorisation - which must tell it in the back end that "sid" is associated with "url" submitted on the previous form. The reason why they do a two step thing, and the fact that on step two the page displays "confirm that you wish to submit this URL for categorisation" must be to force people to double-check their entries.
Now the key is still that I don't display anything locally on my block pages, as to not confuse my users. As far as they are concerned, they would get a message like:
"The page you are trying to access has been blocked because the URL you have requested is not categorised. Please check again in a few hours"
The page would then submit the uncategorised URL to the manufacturer, and in the next database update, we would hopefully get the URL categorised.
Hope this clears confusion and concerns of any other not so dignified intentions.
Your attempts to simplify the problem to make it easier to understand makes your whole question very difficult to understand at all. Is there any way that you can maybe explain exactly what you are trying to accomplish in reality, instead of renaming things as pageA, varB, etc?
Also, when you say "in the post" do you mean as a POST variable?
Why don't you change the title to something like "How do I perform a Cross-Site Request Forgery?"
I understand what you're asking, I just don't know that I should tell you how to do it...