Encoding the HTTP POST action URL
In the previous examples, the URL payloads have not been encoded. The data appears in clear text as part of the Web browser "Address" line. This may or may not be a security issue. However, it is very simple to encode the URL payload, using the "sigma.lib" functions, and "Sigcmd.exe" program.
This encoding, as discussed previously, provides several advantages, and is well worth the minimal effort required by the developer if the application is to have a substantial degree of sophistication and utility.
First, by encoding and encrypting the URL, the operation of the Sigma Framework is obscured to end users, which will enhance the general security of the program, and promotes the basic concepts of "data privacy."
Secondly, encoding of the arguments prevents special HTML characters (such as spaces, ampersands, and semicolons) from interfering with the normal operation of the user's web browser. This permits data such as ISO characters (for example Chinese characters) to be passed to receiving programs.
In particular, if the programmer encrypts the URL payload, data is handled much easier. The programmer does not need to worry about special quoting of characters, or formatting the URL payload solely to permit the URL to be passed from the web browser into the program.
Consider yet another simple batch file example, which demonstrates how to encode the URL, so its value is hidden from the browser user. The program below queries an e-mail address, and a comment, from a user, and appends this information to the "\data\comments.txt" file on the system.
REM: Create the form tag.
sigcmd.exe SG_form %0%
echo Enter e-mail address: <br>
echo ^<input name=email value="" ^>
echo <p>
echo Enter comment: <br>
echo ^<textarea name=comment ^>
echo </textarea>
echo <p>
echo ^<input type=submit ^>
echo </form>
REM: Append any posted data to this file.
type %S_WIN32_POST% >> \data\comments.txt
Several things can be noted from the above example. First, observe that because it is a batch file, and the "<" and ">" characters have special meaning, these characters must be escaped using the "^" character. (This, of course, makes the Windows batch file programming less than ideal for scripting screens, but is good for illustrative purposes.)
The "sigcmd.exe" program is documented in Sigcmd-exe-utility-program, and contains various utilities that correspond to the "sigma.lib" programmer's library. This utility provides various useful functions. The "sigcmd.exe SG_form" command, issued at the top of the program, creates a <form> tag, where the action of the tag is given as the first argument. This action is encrypted. In this case, the action is to execute the above batch file (as given by the "%0%" argument, which is the name of the currently executing program.
When the use clicks the submit button, the program is re-executed by the HTTP server. Any submitted data is placed in the \data\comments.txt file of the system.
Note that, because the argument to the SG_form command is "%0%", the above batch file can be placed in any directory within the "sigma-web" folder, with the following two provisions:
- The "sigcmd.exe" program must appear in the path of the HTTP server. The utility normally resides in the "sigma\system" directory, and the PATH variable should either be modified to include this directory, or the "sigcmd.exe" program should be copied to some location already in the HTTP server path (such as the %SystemRoot% directory.
- The batch file should follow naming conventions, including a ".cmd" suffix. (Note that a ".bat" suffix will not work, since these types of batch files display preformatted text and not raw HTML.)
The fact that the "%0%" argument is passed to the SG_form command makes the program completely relocatable, so long as the program resides within the "sigma-web" directory. This means that, if the file is named "900_Comments.cmd" (for example) the file can be copied into the top-level "sigma-web" or lower subdirectories of that folder, and still work without modifications.