Form submit to navigate - confusing me!

I’m trying to access the data at

If I search a county like “richland” it returns results. Then I can click pages. Every link on their site uses a function to navigate. The script is below:

<script type="text/javascript">
var theForm = document.forms['aspnetForm'];
if (!theForm) {
    theForm = document.aspnetForm;
function __doPostBack(eventTarget, eventArgument) {
    if (!theForm.onsubmit || (theForm.onsubmit() != false)) {
        theForm.__EVENTTARGET.value = eventTarget;
        theForm.__EVENTARGUMENT.value = eventArgument;

The function is accessed like so: (

<a href="javascript:__doPostBack('ctl00$SiteContentPlaceHolder$DataGrid1$ctl01$ctl06','')">7</a> 

All it it appears to do is change the values of the below inputs, and submit the form.

<input type="hidden" name="__EVENTTARGET" id="__EVENTTARGET" value="" />
<input type="hidden" name="__EVENTARGUMENT" id="__EVENTARGUMENT" value="" /> 

It also has a hidden input called __VIEWSTATE which appears to be some type of session ID which has to be changed to send the POST. No big deal.

The real question is, when I input the values into the hidden inputs themselves (EVENTTARGET AND EVENTARGUMENT), and post the form to their site, it doesn’t return anything. But if I use the function to post, it works! Ideas?

The code use above is for .NET postbacks which should only ever be used in .NET applications as ASP.NET compiles the JavaScript above dynamically.

My question to you is what platform are you using and what data are you trying to retrieve for your query?

All I really wanted was to grab their data and store it in my database. I was going to use CURL to post parameters to the page, and get the results. I acquired a fresh VIEWSTATE and VALIDATIONID generated by their site, and posted those too, so I’m confident it my failed POST wasn’t because of that.

To be honest, I found an alternative resource, but I would still like to know why I couldn’t POST the fields found in their site via CURL and receive a response. I even put the page code on my site, clicked the search using their callback function, and it worked. But if I used a regular “Submit” button, the results were blank.

As I said before these are post back specific fields so there is no way you will be able to use them as they are re-generated every single time a new connection is made to the page, you would need to have a direct API that bypasses all this and goes directly to their code source otherwise there is no way for you to collect information from them.

Oh my god. I see. Couldn’t it still be done by getting the initial page contents, analyze the fields and POST back with propper information? eg.

Well name: <input id="generatedid" name="generatedid">

Then use PHP to match between Well name: <input id=" and ", and posting “generatedid” with my own value back to their server. Or am I missing something?

No, any new request made to the file will be invalid as .NET manages all form values to prevent XSS attacks

Chris, forgive me for my lack of knowledge.

So when I choose the search type (like API, name, county, etc) I can see it makes a request to update the values. While it’s beyond my skills, it seems plausible that specialty software could mimic a user using a web browser to send a page request, modify the fields and allow the updated values, and post back. Do you know of anything like this?

Microsoft has designed .NET so you can’t do that, basically this is what’s happening when the page loads.

  1. A new session is created for the user with the unique _EVENT values
  2. The compiler finds the form within the current context and appends the 2 form fields
  3. The session is validated for the request
  4. Anytime a post back is requested these values are validated based on the active session of the user

If an _EVENT value doesn’t match what was found for the users session it will automatically alert the user that something has gone wrong.