|
pentimento
|
 |
« on: January 18, 2006, 08:17:31 AM » |
|
I know this has probably been covered ad nauseum, but my search came up with an overwhelming number of answers that weren't specific this. I understand that it is not really safe/good practice to use an HTML form, but how do I go about adding an email form to a dreamweaver site? Do I enable a script? I don't know anything about php, etc and don't know where to start! I need to add a form that will go to the client to request information about their services.
Thank you!
|
|
|
|
|
Logged
|
|
|
|
|
Matthew
|
|
« Reply #1 on: January 19, 2006, 10:32:04 AM » |
|
Hello, It is not necessarily the HTML form that is vulnerable, it is the script that processes the data that needs to be secure. You can setup an HTML form using dreamweaver and use the following script that we recommend to process the data: http://nms-cgi.sourceforge.netThere are posts in our How To section of the forum with step by step instructions on installing this. |
|
|
|
|
Logged
|
|
|
|
|
pentimento
|
|
« Reply #2 on: January 19, 2006, 11:31:22 AM » |
|
 Thank you VERY much!
|
|
|
|
|
Logged
|
|
|
|
mnowakow
Newbie
 Offline
Posts: 5
I'm my own worst enemy.
|
|
« Reply #3 on: February 01, 2006, 10:28:47 AM » |
|
I am also trying to do this, BUT get lost when I get to 'THE HTML FORM' Segment ( reference). My issues is that I'm trying to figure out how it relates to the form I build in Dreamweaver. Do I have to look at each field individually? What happens if I have a drop down menu? What about a button? I'm experienced at designing a site, but these types of things are totally new to me. If anyone can offer some help, possibly even visuals, that would be great. I've read and re-read, and still I am coming up with no results. FYI: I am attempting to build a simple for that submits to my email address the following information: -Name -email -Date (drop down menus) -Time (drop down menus) -Selection (drop down menu) Any assistance would be very helpful. I would also in the future like to use a MySQL database to house this info, but I figured the email would probably be the easier of the two to start on. PLEASE HELP. Mike |
|
|
|
|
Logged
|
|
|
|
|
fretnmore
|
|
« Reply #4 on: February 01, 2006, 01:28:33 PM » |
|
Each field in your form has a name (you can set that to be something meaningful to you, or use the Dreamweaver defaults). With your drop down button, whatever they have selected is what the value will end up being for that named field.
When using a button, where only one selection is possible, just give each possible selection (yes or no or whatever) the same name. Then when you are processing the form, that named field will hold the value that was selected.
If your field has the possibility of making multiple selections, you should give each selection a different name. Then when processing show the values for all of the named fields, you will then know which ones were selected.
None of this explains the processing, but it is the name from your form in Dreamweaver which relates one to one to the processing done in the script. I hope that some of this helps.
|
|
|
|
|
Logged
|
|
|
|
mnowakow
Newbie
Offline
Posts: 5
I'm my own worst enemy.
|
|
« Reply #5 on: February 01, 2006, 02:59:00 PM » |
|
That was helpful. Thank you for the info.
Now if I could only better understand the scripting as it relates to how I establish a form in Dreamweaver.
Can anyone lend some advice/knowledge?
Thank you.
|
|
|
|
|
Logged
|
|
|
|
|
leighsww
|
|
« Reply #6 on: February 02, 2006, 11:16:14 AM » |
|
Once you create your form in DW, use the tutorial (the one you had linked to in your first post) to configure the settings.
Print it out and follow it step by step and although it's lengthy, it's not hard, so don't let the amount of text overwhelm you.
Basically, you configure the settings that are shown in the tutorial (in the script and html form) to customize to your specific parameters.
If you run into problems, post back here (or start your own thread in the "CGI" section of the forums) and I will help you.
|
|
|
|
|
Logged
|
|
|
|
|
|
|
leighsww
|
|
« Reply #8 on: February 20, 2006, 01:31:26 PM » |
|
Okay, but make sure you read this regarding form exploits: http://www.lunarforums.com/forum/index.php?topic=29509.0Here's two very detailed info sites about "email injection exploits" which you should read, especially if you are using a php processing method for your forms: http://www.nyphp.org/phundamentals/email_header_injection.phphttp://securephp.damonkohler.com/index.php/Email_InjectionFor someone who knows php, coding all the "solutions" described in the links above isn't a problem, but if you're not sure how to code this stuff, then the NMS FormMail script is one of the more secure scripts out there (which is probably why LunarPages recommends it) and doesn't need extensive coding skills. After much perusing the internet for more info on both this "email injection exploit" and the NMS FormMail script, I found that the reason the NMS FormMail is highly recommended and what makes it a less vulnerable script, is due to the following attributes in the script ... the allow_mail_to, referrer and max_recipients. It seems the NMS FormMail script is a more secure script than most. |
|
|
|
|
Logged
|
|
|
|
|
pentimento
|
|
« Reply #9 on: February 20, 2006, 09:43:19 PM » |
|
Thanks! Okay, I changed the names of the scripts but are they still vulnerable? I guess I will go back to the nms form and try again. I got confused at the html part, but after playing with the other script, I might have a better handle on it.
|
|
|
|
|
Logged
|
|
|
|
|
leighsww
|
|
« Reply #10 on: February 20, 2006, 10:01:17 PM » |
|
It's not only so much the names of the scripts that's the vulnerability, but how the scripts are written.
When you have something ready, post a link to your form and we'll help you with it, if you're having trouble.
|
|
|
|
|
Logged
|
|
|
|
|
pentimento
|
|
« Reply #11 on: February 20, 2006, 10:20:22 PM » |
|
Thank you! I found the other thread about email links and was led to this javascript method for email links. Although I still need to finetune the form for this project, is this javascript safe for places where I just need a mailto link? http://kb.iu.edu/data/alcm.html#reformat<a href='javascript:window.location="mail"+"to:"+"user"+"@"+"domain"+"."+"com";' onmouseover='window.status="mail"+"to:"+"user"+"@"+"domain"+"."+"com"; return true;' onmouseout='window.status="";return true;'>Click here to send mail.</a> I will have to work on the forms again tomorrow. I'm afraid I have the email to form owner in there so I guess it is still vulnerable. |
|
|
|
|
Logged
|
|
|
|
|
SOU610
|
|
« Reply #12 on: February 21, 2006, 04:11:46 AM » |
|
Yes and no. For the average users, yeah it'll work. However, if the user has javascrpit turned off, then it won't. Furthermore, don't depend on just the form page for security. Somebody could look at your form's source code to find the name and location of your handler script. Once equipped with that information, they could create their own page on a completely different host and target your script. That's another nice feature of NMS FormMail; you can specify the domain(s) allowed to use it. That way if somebody with nefarious intentions does figure out your mailer’s path, it’s useless to them (unless they hack your account by other means and plant a file). (I'm sure somebody will be able to expand more on what I said. This is stuff I've picked up over the years by reading and personal experience so it's kinda nebulous... and some of it could be wrong too.  ) |
|
|
|
|
Logged
|
|
|
|
|
|
|
leighsww
|
|
« Reply #14 on: February 27, 2006, 09:50:40 PM » |
|
Oh, one thing I did spot after looking again at your source code. Remove this tag (it's the one after your "action" tag above your "hidden" tags): <input type="textbox" name="email"> You already have an "email" field specified further down as: <input name="email" type="text" id="email" size="24" /> So you don't need that prior tag. |
|
|
|
|
Logged
|
|
|
|
|
