Form Risks

Forum|Forum|19 years ago
February 11, 2007
8 replies
609 views

I have successfully created my first form using php. However, I am concerned about security. I have researched spam harvesting and realize that the static email address that the form will be sent to probably will be hacked unless I institute some security measures--and that there still is no guarantee that the email will not be harvested or that illegitimate users will not use the form.
But I am more concerned about, and unsure of, the risks to the user. When I test my form in Netscape, I get a warning that the form is unencrypted and could easily be read by a third party (Safari doesn't give this warning). The form is basically asking for users' opinions and does not request any confidential information other than the person's name, organization, and email address.
So I'm wondering what the risks are of having users submit an unencrypted form? Is using a form like this any more risky than a regular email?
Thank you for considering my questions.
Monty

Server side applications

This topic has been closed for replies.

Correct answer Newsgroup_User

> You said the form is not complete. In what way?

The action attribute of the form has not been assigned. When you submit the
form, it won't do anything.

> Also, I'm wondering what the risks are of having users submit an
> unencrypted
> form? Is using a form like this any more risky than a regular email?

Depending on how you process the data and what you do with it, it could be
completely secure.

There are only two ways to process form data -

1. Use mailto:name@example.com as the action of the form
2. Use a server-side scripting method to a) harvest the form's data, b)
process it in some manner, e.g., enter it into a database, c) formulate and
send an email to one or more email recipients, and d) redirect the visitor
to some ending page

Method 1 is quite simple, and is also the least reliable. It depends both
on your visitor having an email client already installed on their computer -
this eliminates public computers, or home users without email clients
installed (more and more it seems) - and on the installed email client
responding to
the mailto call. It is not possible to use this method *and* send the
visitor to a
thank you page as well.

Method 2a is the preferred method, since it eliminates the problems of
method
1, but it means that you have to grapple with server-scripting somehow (ASP,
CF, PHP, perl, etc.).

Method 2b would be to use some third-party form processing, like
http://www.bebosoft.com/products/formstogo/.

You would have to decide which of these methods is best for your needs,
but if it's Method 2a, then start by asking your host what they provide for
form
processing. If it's 2b, then read their FAQ/instructions carefully.

--
Murray --- ICQ 71997575
Adobe Community Expert
(If you *MUST* email me, don't LAUGH when you do so!)
==================
http://www.dreamweavermx-templates.com - Template Triage!
http://www.projectseven.com/go - DW FAQs, Tutorials & Resources
http://www.dwfaq.com - DW FAQs, Tutorials & Resources
http://www.macromedia.com/support/search/ - Macromedia (MM) Technotes
==================

"MontyC" <webforumsuser@macromedia.com> wrote in message
news:eqnvvl$fcv$1@forums.macromedia.com...
> Thank you for your response, Murray.
> You said the form is not complete. In what way?
> Also, I'm wondering what the risks are of having users submit an
> unencrypted
> form? Is using a form like this any more risky than a regular email?
>
>

M

MontyCAuthor

Known Participant

Thank you both for your responses. And yes, I tested the form and it has been processing correctly and sending me the form by email as I intentded.

Monty

N

Newsgroup_User

Inspiring

Gosh - that's right. I'm so accustomed to doing this since Netscape doesn't
'self process' (or was it NN4x?).

--
Murray --- ICQ 71997575
Adobe Community Expert
(If you *MUST* email me, don't LAUGH when you do so!)
==================
http://www.dreamweavermx-templates.com - Template Triage!
http://www.projectseven.com/go - DW FAQs, Tutorials & Resources
http://www.dwfaq.com - DW FAQs, Tutorials & Resources
http://www.macromedia.com/support/search/ - Macromedia (MM) Technotes
==================

"David Powers" <david@example.com> wrote in message
news:eqo5j2$lfv$1@forums.macromedia.com...
> Murray *ACE* wrote:
>>> You said the form is not complete. In what way?
>>
>> The action attribute of the form has not been assigned. When you submit
>> the form, it won't do anything.
>
> Not true. If the action attribute has no value, the form becomes
> self-processing.
>
> --
> David Powers, Adobe Community Expert
> Author, "Foundation PHP for Dreamweaver 8" (friends of ED)
> Author, "PHP Solutions" (friends of ED)
> http://foundationphp.com/

N

Newsgroup_User

Inspiring

Murray *ACE* wrote:
>> You said the form is not complete. In what way?
>
> The action attribute of the form has not been assigned. When you submit the
> form, it won't do anything.

Not true. If the action attribute has no value, the form becomes
self-processing.

--
David Powers, Adobe Community Expert
Author, "Foundation PHP for Dreamweaver 8" (friends of ED)
Author, "PHP Solutions" (friends of ED)
http://foundationphp.com/

N

Newsgroup_UserCorrect answer

Inspiring

> You said the form is not complete. In what way?

The action attribute of the form has not been assigned. When you submit the
form, it won't do anything.

> Also, I'm wondering what the risks are of having users submit an
> unencrypted
> form? Is using a form like this any more risky than a regular email?

Depending on how you process the data and what you do with it, it could be
completely secure.

There are only two ways to process form data -

1. Use mailto:name@example.com as the action of the form
2. Use a server-side scripting method to a) harvest the form's data, b)
process it in some manner, e.g., enter it into a database, c) formulate and
send an email to one or more email recipients, and d) redirect the visitor
to some ending page

Method 1 is quite simple, and is also the least reliable. It depends both
on your visitor having an email client already installed on their computer -
this eliminates public computers, or home users without email clients
installed (more and more it seems) - and on the installed email client
responding to
the mailto call. It is not possible to use this method *and* send the
visitor to a
thank you page as well.

Method 2a is the preferred method, since it eliminates the problems of
method
1, but it means that you have to grapple with server-scripting somehow (ASP,
CF, PHP, perl, etc.).

Method 2b would be to use some third-party form processing, like
http://www.bebosoft.com/products/formstogo/.

You would have to decide which of these methods is best for your needs,
but if it's Method 2a, then start by asking your host what they provide for
form
processing. If it's 2b, then read their FAQ/instructions carefully.

--
Murray --- ICQ 71997575
Adobe Community Expert
(If you *MUST* email me, don't LAUGH when you do so!)
==================
http://www.dreamweavermx-templates.com - Template Triage!
http://www.projectseven.com/go - DW FAQs, Tutorials & Resources
http://www.dwfaq.com - DW FAQs, Tutorials & Resources
http://www.macromedia.com/support/search/ - Macromedia (MM) Technotes
==================

"MontyC" <webforumsuser@macromedia.com> wrote in message
news:eqnvvl$fcv$1@forums.macromedia.com...
> Thank you for your response, Murray.
> You said the form is not complete. In what way?
> Also, I'm wondering what the risks are of having users submit an
> unencrypted
> form? Is using a form like this any more risky than a regular email?
>
>

M

MontyCAuthor

Known Participant

Thank you for your response, Murray.
You said the form is not complete. In what way?
Also, I'm wondering what the risks are of having users submit an unencrypted form? Is using a form like this any more risky than a regular email?

N

Newsgroup_User

Inspiring

The form is not complete, and there is no email address exposed in the form
as it is now. There is an email address exposed at the bottom of the page,
but not in the form.

--
Murray --- ICQ 71997575
Adobe Community Expert
(If you *MUST* email me, don't LAUGH when you do so!)
==================
http://www.dreamweavermx-templates.com - Template Triage!
http://www.projectseven.com/go - DW FAQs, Tutorials & Resources
http://www.dwfaq.com - DW FAQs, Tutorials & Resources
http://www.macromedia.com/support/search/ - Macromedia (MM) Technotes
==================

"MontyC" <webforumsuser@macromedia.com> wrote in message
news:eqnk79$2sk$1@forums.macromedia.com...
> Here is the URL for the form: http://www.human-studies.com/contactus.php

M

MontyCAuthor

Known Participant

Here is the URL for the form: http://www.human-studies.com/contactus.php

N

Newsgroup_User

Inspiring

Show us your form, please.

--
Murray --- ICQ 71997575
Adobe Community Expert
(If you *MUST* email me, don't LAUGH when you do so!)
==================
http://www.dreamweavermx-templates.com - Template Triage!
http://www.projectseven.com/go - DW FAQs, Tutorials & Resources
http://www.dwfaq.com - DW FAQs, Tutorials & Resources
http://www.macromedia.com/support/search/ - Macromedia (MM) Technotes
==================

"MontyC" <webforumsuser@macromedia.com> wrote in message
news:eqngdk$s0l$1@forums.macromedia.com...
>I have successfully created my first form using php. However, I am
>concerned
> about security. I have researched spam harvesting and realize that the
> static
> email address that the form will be sent to probably will be hacked unless
> I
> institute some security measures--and that there still is no guarantee
> that the
> email will not be harvested or that illegitimate users will not use the
> form.
> But I am more concerned about, and unsure of, the risks to the user. When
> I
> test my form in Netscape, I get a warning that the form is unencrypted and
> could easily be read by a third party (Safari doesn't give this warning).
> The
> form is basically asking for users' opinions and does not request any
> confidential information other than the person's name, organization, and
> email
> address.
> So I'm wondering what the risks are of having users submit an unencrypted
> form? Is using a form like this any more risky than a regular email?
> Thank you for considering my questions.
> Monty
>

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded