[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Apache web form



On Sat, 2006-10-21 at 12:53 -0600, Frank Cox wrote:
> I need a simple web form that I can use on my FC5 webserver to gather feedback
> and orders from a website ("Click here to send comments to the webmaster" type
> of thing).
> 
> I have never done anything with forms, and having heard all kinds of horror
> stories about security vulnerabilities in scripts like this I am a bit
> hesitant to grab a random form script from ghawd-knows-where and try to use
> that.

The NMS formmail script is considered a good replacement for the
dangerous Matt Wright one.

There's two halves to what you want to do:

1. Designing an HTML form with the fields you want people to interact
with, which requires knowledge of HTML.  Be aware that your form will
just be a fill-in-the-blanks thing.  There's nothing that stops someone
else from knocking up their own form, and firing off whatever they want
at your webserver.  You've got to be prepared to deal with that.

2. Implementing that formmail script that takes the output from the
submitted form, and e-mails it to someone.  Again, this requires you to
understand what's required of the script.  It's fairly well documented,
just be sure to pay attention to the parts about limiting who can be
sent an e-mail.  You want to set it so that no matter how someone
submits data (including bypassing your HTML form page), that your script
will only send to the people you want it to.  Else you're giving free
reign to spammers.

> Any recommendations for what I should be using?  I would like to be able to
> define text fields (name, address, 50 words or less) and have a drop-down list
> (select your category).  Then click "submit" and have the form emailed.

Most of that is whatever you put in the HTML, though setting a parameter
of 50 words rather than so-many characters, would require post
processing.  The form mails script just passes along what it wants.
Some entries are used directly in the mail (e.g. from addresses, subject
details) if you name the fields correctly,  Others will just appear as
text within the message body, so be sure to choose field names and input
values that make sense to whoever/whatever reads the mail.

Simple example:

<form action="/cgi-bin/mailform.pl" method="post">

<fieldset>
  <legend>Enter your own details</legend>
   <div><label>Name: <input type="text" name="realname"></label></div>
   <div><label>Email: <input type="text" name="email"></label></div>
</fieldset>

<fieldset>
  <legend>Pick your criteria</legend>
   <div><label>Category: <select name="subject">
                           <option name="sales">Sales enquiry</option>
                           <option name="work">Job application</option>
                           <option name="returns">Refunds &amp; returns</option>
                         </select></div>
</fieldset>

<fieldset>
  <legend>Type in a message, below</legend>
   <div><textarea name="message" cols="50" rows="20"></textarea></div>
</fieldset>

<fieldset>
 <legend>Action</legend>
   <div>
    <input type="hidden" name="recipient" value="johndoe">
    <input type="hidden" name="redirect"  value="/messageaccepted.html">
    <input type="submit" value="Send"> your entry to us</div>
</fieldset>

You'd embed something like the above into an HTML page.  Most of that
should be pretty self explanatory.  The opening form action determines
where the form sends to (the form mail script).  Fieldsets carve apart a
form into sections, where appropriate.  Legends write a legend for that
fieldset.  Labels write a label for a particular input element.

The recipient (johndoe) relies on you having an entry in your form mail
script that associates that name with an address.  You really do NOT
want to write a recipient e-mail address in a form.  They'll get spam
from anyone parsing the form.  And if your script accepts an address
from a form, a spammer putting a different address in the form can make
a nuisance of themselves.  It's much better to specify addresses in the
script.  Outsiders cannot see what's in the script, and cannot modify
it.

The redirect (/messageaccepted.html) is how the NMS form mail script
lets you set what happens after the form has been submitted (a follow up
page is sent to the browser, a sort of a "success" message).

I generally do not bother with a RESET button.  People hit them by
mistake, and its easy enough to change one or two mistakes in filling in
a form, without starting completely over.


-- 
(Currently running FC4, but testing FC5, if that's important.)

Don't send private replies to my address, the mailbox is ignored.
I read messages from the public lists.



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]