I am building a script to automate some tasks in a classifieds site I use frequently. I have successfully scripted everything except for 1 piece. I have examined the HTTP posts during login, and there are 2 form values that are being dynamically added to the DOM just before form submission: "x" and "y". I know this because x and y appear in my form post inspector, but these do NOT appear in the page source anywhere. These get set to different integers each time, and I believe they're being used to defeat scripted logins. I believe the server-side code is checking for a match on those 2 vars. The funny thing is the system allows me to login via script (no errors or warnings - I am just not submitting x and y), but when I get down to submitting a classified item, it is not successful. I know I am successfully submitting all form vars on all pages EXCEPT for this x/y stuff on the login page, because all the rest are static.
If I could figure out how to use firebug to attach to the form submit (login) button somehow, and debug through that, I'm sure I could find the mystery code adding the 2 form elements. Or maybe there's a more straightforward way to discover this.
The submit buttons (including the type="image") will automatically submit the position of the mouse when you click that button, as being x= and y=, in case that button has a name. Or even without that, in some browsers, in case of image type buttons.
Probably the easiest way to get rid of that is to use something like:
Thanks for the reply. Your response is reasonable, but I really think the x and y are being used to defeat scripting, for the following reasons:
2- The x and y values cannot be screen coordinates, because the numbers are always small and friendly pairs, such as 12,8 or 24,30 or 6,20 -- etc. If these were coords, the button would have to be very near the top left corner of the screen, and it's not. It's near the middle. If those were really coords then I would be seeing pairs like 658,437, etc.
3- The fact that the DB inserts are not occurring despite the fact that I'm correctly emulating ALL name-value form post fields -- except for the X/Y.
Also, you seem to think I have access to the application's source code. If I did, I wouldn't need to simulate form posts. :-)
If you have any other ideas, I'd love to hear. Thanks.