Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Contact / Feedback form; safe or not

  1. #1
    Join Date
    Jul 2006
    Posts
    113
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default Contact / Feedback form; safe or not

    I would like to include a contact / feedback form page on my site. I did a search and found some info but they all talk about php. Not sure what it is but I am hosting my website on a Team server. http://www.team-raptor.net/myraptor.

    From what I understand that if not done correctly, it can be a backdoor for some one to insert a malicious code.

    Can some one direct me as to the proper way to make a feedback form safe?

    Thanks again,


    Girard
    Last edited by Girard Ibanez; 09-10-2006 at 02:29 PM.

  2. #2
    Join Date
    Dec 2004
    Location
    UK
    Posts
    2,358
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    Quote Originally Posted by Girard Ibanez
    I would like to include a contact / feedback form page on my site.

    From what I understand that if not done correctly, it can be a backdoor for some one to insert a malicious code.
    The real risk is in allowing a malicious user to use the form to send spam to anyone they choose.

    It is feasible that a form mail script could be vulnerable to an injection attack, but it depends on how the server-side mail feature works. For example, with the PHP mail function, someone could send a From value that ends with a CR LF pair, and then specify their own list of headers (perhaps including Cc or Bcc), but validating the input against the syntax for a single address would prevent this.

    Can some one direct me as to the proper way to make a feedback form safe?
    If you're writing your own form mail script, I'd advise a trusted, pre-existing one. If not, then the form itself isn't a security risk and you don't need to worry about that.

    Mike

  3. #3
    Join Date
    Jul 2006
    Posts
    113
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    Here's what the form will look like. Not sure how to have it sent to my email.


    Code:
    <form id="form1" name="form1" method="post" action="????">
          <p>
            <label>Contact Name
            <input name="Name" type="text" id="Name" />
            </label>
          </p>
    
          <p>
            <label>Email Address
            <input name="Name" type="text" id="Name" />
            </label>
          </p>
    
           <p>
           <label>Comments &amp; Questions <br />
           <textarea name="Questions &amp; Comments" cols="50" rows="5" id="Questions &amp; Comments"></textarea>
           </label>
           </p>
    
           <p>
           <label>
           <input type="submit" name="Submit" value="Submit Form For Processing" />
           </label>
           </p>
           </form>

  4. #4
    Join Date
    Dec 2004
    Location
    UK
    Posts
    2,358
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    Quote Originally Posted by Girard Ibanez
    Not sure how to have it sent to my email.
    Does your host offer a form mail script (many do)? Were you going to use a third-party service?


    <form id="form1" name="form1" method="post" action="????">
    Those id and name attributes are probably unnecessary. The name attribute would only be useful if you're scripting, and probably not even then. At the very least, choose a better value (like "contact").

    <p>
    <label>Contact Name
    These aren't paragraphs. Either style the label element using "display: block", or use a div element.

    <input name="Name" type="text" id="Name" />
    Again, the id attribute probably isn't necessary, here. It would only be useful for CSS.

    <label>Email Address
    <input name="Name" type="text" id="Name" />
    The same would apply here, though obviously you meant something like "E-mail".

    <textarea name="Questions &amp; Comments" cols="50" rows="5" id="Questions &amp; Comments"></textarea>
    That id attribute value isn't valid: the ID type has a very limited set of allowed characters.

    <input type="submit" name="Submit" value="Submit Form For Processing" />
    The name attribute is probably unnecessary. A submit button only needs a control name if there are multiple submit buttons and the form processor would vary how it acts based on which one is used.

    Mike

  5. #5
    Join Date
    Jul 2006
    Posts
    113
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    Well,

    I guess this is above my learning curve at this time.

    Thanks again for the input, I'll studied this part in depth once I get all my pages up. I'll even check to see if the host site is capable of doing this type of form.

    I appreciate the tips on the proper way to go about this.

    Thanks,

    mwinter

  6. #6
    Join Date
    Jul 2006
    Location
    Canada
    Posts
    2,581
    Thanks
    13
    Thanked 28 Times in 28 Posts

    Default

    THe PHP mail function can be very useful too, but as previously said, can be a breeding ground for spam.
    - Mike

  7. #7
    Join Date
    Jul 2006
    Posts
    113
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    Do you have another idea for visiting folks to send me feed back or suggestion for site improvements or compliments.


    Thanks

  8. #8
    Join Date
    Dec 2004
    Location
    UK
    Posts
    2,358
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    Quote Originally Posted by Girard Ibanez
    Do you have another idea for visiting folks to send me feed back or suggestion for site improvements or compliments.
    Your other option is to include your e-mail address on the contact page (which is fine if you have a good spam filter).

    Why are you giving up on the form, though? The only thing you need to add is address of the form processor (the CGI/PHP/ASP/etc. script), and whatever extra information that it needs. If your host doesn't provide the service, there are plenty of free third-party providers (a search for form processor or form mail will return more). Each one should tell you how to configure the form, perhaps showing a basic example, too.

    Mike

  9. #9
    Join Date
    Jul 2006
    Posts
    113
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    Why are you giving up on the form, though?
    Not giving up ....

    The only thing you need to add is address of the form processor (the CGI/PHP/ASP/etc. script), and whatever extra information that it needs.
    I'm not sure if the site I am using has any of the require programs needed to run forms. The host site is run by another individual like myself who are providing information for folks in the hobby.

    In due time I will get with him an see if he can set me up. Last I check when using Front Page, if he could install the server files, he wasn't to sure on how.

  10. #10
    Join Date
    Jul 2006
    Posts
    113
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    Mike,

    You just jump started me in the right direction. Found a site that will host the forms for a small advertisement logo. This is the url of one of them that I am looking into.

    http://www.response-o-matic.com/

    Not sure whats in store with these folks as nothing is ever "FREE" and always comes with a price.

    No need now to bust my brains on spam and the sort .... but will research even further.


    Thanks again,


    Girard

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •