Online Forms Offer Better Data, More Security, and Less Spam
Unless you are a hermit or have terribly poor Internet manners, you’ll want to give your online visitors a way to contact you by e-mail.
The Mailto: Link
The easiest method, of course, is to include a mailto: link on your webpage, such as: "Please contact me if you desire." When your visitor clicks on the hyperlinked words, it pulls up the visitor’s e-mail program to send an e-mail. The HTML syntax is relatively simple:
Please contact me if you desire
By adding the subject after a question mark you can segregate these e-mails by subject line as they are delivered to you.
Please contact me if you desire
Nearly anyone can add a mailto: link to a webpage. But there are two drawbacks:
- Spam. The underlying e-mail address is inevitably sucked up by spambots, resulting in an increasing deluge of spam.
- Incomplete Data. Though you can control the subject line and will retrieve your sender’s e-mail address (and perhaps name), you often don’t get essential information such as phone number, address, etc. that enables you to provide immediate help.
Online Forms
A step forward is the use of an online form that provides fields for each piece of data you ask for. You can make some fields required, thus providing data consistency and completeness. An old standby is Matt Wright’s legendary FormMail program written in Perl (http://www.scriptarchive.com/formmail.html). Matt plugged some serious security holes in 2002, but such programs continue to have two weaknesses:
- Spam. Though hidden from view, your recipient e-mail address may still accessible by spambots unless the program is custom written.
- Security. Many generic form programs like FormMail can expose to view the file structure of your server, making it much easier for malicious or thieving hackers to attack your server, find your server password file, download your data, or perhaps even corrupt or destroy your site. Hackers also attempt to insert characters into data fields that will trigger errors that, in turn, expose your web server’s file structure.
More Secure Forms
Modern forms are designed for greater security against both spam and hackers.
- Hidden configuration files. These days most forms hide sensitive data such as recipient e-mail address and file structure in a configuration file that cannot be viewed from a browser interface.
- Field verification can prevent hackers from entering characters into your fields to provoke errors. Verification is best accomplished "server-side" by your forms program, rather than "client-side" using JavaScript on your visitor’s web browser — which can be bypassed by hackers.
- JavaScript field verification, however, helps you get more consistent, error-free data from your visitors, avoiding skipped fields, incorrect characters in a field, etc.
- CAPTCHA applications are a type of graphic challenge-response system. They display a word that (hopefully) can’t be read by a hacker’s computer, forcing hackers to personally look at each form they fill out. Hackers still pester some, but a CAPTCHA application does cut down on wholesale form spamming.
- ScanAlert (www.scanalert.com) from McAfee is a paid service that regularly attempts to hack into your website, looking for poorly written programs and older versions of server software, PHP, MySQL, as well as other security problems. Sites that withstand this kind of scrutiny can display the HackerSafe logo, which has been often demonstrated to increase sales 10% to 15%. Without this kind of service, your site is likely to become vulnerable to attack without you even being aware of problems.
Some Helpful Tools
Here are form tools that may prove helpful. As you look for a program for your site: (1) observe how highly it is rated and by how many users, (2) read user reviews, (3) see if an online forum is available for support and user questions, and (4) look for a recent update date, a sign that a program is still under active development.
- PHP Form Mail Script from Stadtaus.com offers a powerful program that provides form customization within your site, error messages, hidden configuration, attachments, customizable e-mail templates, and a CAPTCHA feature. Free for non-commercial sites, $29 or 19 EUR for a license. Installation service is available, but is relatively simple for those with some basic programming skills. http://stadtaus.com/en/php_scripts/formmail_script/
- The PHP Resource Index under "Form Processing" lists and provides ratings for more than 150 programs written in PHP. http://php.resourceindex.com/Complete_Scripts/Form_Processing/
- The CGI Resource Index under "Form Processing" lists and provides ratings for more than 100 programs written in Perl. http://cgi.resourceindex.com/Programs_and_Scripts/Perl/Form_Processing/
- Stephen Poley, "JavaScript form validation � doing it right," offers sound guidelines, examples, and code for field-by-field JavaScript verification. http://www.xs4all.nl/~sbpoley/webmatters/formval.html
- Jcap (CAPTCHA Validation JavaScript) by Jonathan Feaster (Archreality, January 10, 2006) is a JavaScript implementation of a CAPTCHA application. It installs with relative ease and works well. It lacks, however, an alternate e-mail address for sight-challenged users.
Need to find out more about your Getting your online forms happening? Contact John here or call/sms 0414 955 743