Contact / Feedback form; safe or not

[Girard Ibanez]

I would like to include a contact / feedback form page on my site. I did a search and found some info but they all talk about php. Not sure what it is but I am hosting my website on a Team server. http://www.team-raptor.net/myraptor.

From what I understand that if not done correctly, it can be a backdoor for some one to insert a malicious code.

Can some one direct me as to the proper way to make a feedback form safe?

Thanks again,


Girard

[mwinter]

I would like to include a contact / feedback form page on my site.

From what I understand that if not done correctly, it can be a backdoor for some one to insert a malicious code.

The real risk is in allowing a malicious user to use the form to send spam to anyone they choose.

It is feasible that a form mail script could be vulnerable to an injection attack, but it depends on how the server-side mail feature works. For example, with the PHP mail function, someone could send a From value that ends with a CR LF pair, and then specify their own list of headers (perhaps including Cc or Bcc), but validating the input against the syntax for a single address would prevent this.

Can some one direct me as to the proper way to make a feedback form safe?

If you're writing your own form mail script, I'd advise a trusted, pre-existing one. If not, then the form itself isn't a security risk and you don't need to worry about that.

Mike

[Girard Ibanez]

Here's what the form will look like. Not sure how to have it sent to my email.

Code:

<form id="form1" name="form1" method="post" action="????">
      <p>
        <label>Contact Name
        <input name="Name" type="text" id="Name" />
        </label>
      </p>

      <p>
        <label>Email Address
        <input name="Name" type="text" id="Name" />
        </label>
      </p>

       <p>
       <label>Comments &amp; Questions <br />
       <textarea name="Questions &amp; Comments" cols="50" rows="5" id="Questions &amp; Comments"></textarea>
       </label>
       </p>

       <p>
       <label>
       <input type="submit" name="Submit" value="Submit Form For Processing" />
       </label>
       </p>
       </form>

[mwinter]

Not sure how to have it sent to my email.

Does your host offer a form mail script (many do)? Were you going to use a third-party service?

<form id="form1" name="form1" method="post" action="????">

Those id and name attributes are probably unnecessary. The name attribute would only be useful if you're scripting, and probably not even then. At the very least, choose a better value (like "contact").

<p>
<label>Contact Name

These aren't paragraphs. Either style the label element using "display: block", or use a div element.

<input name="Name" type="text" id="Name" />

Again, the id attribute probably isn't necessary, here. It would only be useful for CSS.

<label>Email Address
<input name="Name" type="text" id="Name" />

The same would apply here, though obviously you meant something like "E-mail".

<textarea name="Questions &amp; Comments" cols="50" rows="5" id="Questions &amp; Comments"></textarea>

That id attribute value isn't valid: the ID type has a very limited set of allowed characters.

<input type="submit" name="Submit" value="Submit Form For Processing" />

The name attribute is probably unnecessary. A submit button only needs a control name if there are multiple submit buttons and the form processor would vary how it acts based on which one is used.

Mike

[Girard Ibanez]

Well,

I guess this is above my learning curve at this time.

Thanks again for the input, I'll studied this part in depth once I get all my pages up. I'll even check to see if the host site is capable of doing this type of form.

I appreciate the tips on the proper way to go about this.

Thanks,

mwinter

[mburt]

THe PHP mail function can be very useful too, but as previously said, can be a breeding ground for spam.

[Girard Ibanez]

Do you have another idea for visiting folks to send me feed back or suggestion for site improvements or compliments.


Thanks

[mwinter]

Do you have another idea for visiting folks to send me feed back or suggestion for site improvements or compliments.

Your other option is to include your e-mail address on the contact page (which is fine if you have a good spam filter).

Why are you giving up on the form, though? The only thing you need to add is address of the form processor (the CGI/PHP/ASP/etc. script), and whatever extra information that it needs. If your host doesn't provide the service, there are plenty of free third-party providers (a search for form processor or form mail will return more). Each one should tell you how to configure the form, perhaps showing a basic example, too.

Mike

[Girard Ibanez]

Why are you giving up on the form, though?

Not giving up ....

The only thing you need to add is address of the form processor (the CGI/PHP/ASP/etc. script), and whatever extra information that it needs.

I'm not sure if the site I am using has any of the require programs needed to run forms. The host site is run by another individual like myself who are providing information for folks in the hobby.

In due time I will get with him an see if he can set me up. Last I check when using Front Page, if he could install the server files, he wasn't to sure on how.

[Girard Ibanez]

Mike,

You just jump started me in the right direction. Found a site that will host the forms for a small advertisement logo. This is the url of one of them that I am looking into.

http://www.response-o-matic.com/

Not sure whats in store with these folks as nothing is ever "FREE" and always comes with a price.

No need now to bust my brains on spam and the sort .... but will research even further.


Thanks again,


Girard