Force user to fill in email on form

[fauntleroy]

Hi there,

I'm very new to this (form creating). I created an online form with Network Solutions. It was a very fundamental looking thing with limited text fields. I then downloaded that form and customized it in Dreamweaver ... adding additional radio buttons and such. I was successful for the most part, but for a couple problems.

When I created the online form, I was able to designate mandatory and non-mandatory form fields. When I got to the email field, I chose an "email" option for that text field (instead of mandatory and non-mandatory). Now, the user can fill out and submit the entire form without filling in their email address. That field, is of all fields, too important to be left empty by the user.

I cannot locate any code in the form formfeedback.html that controls this issue. The answer must be somewhere in the FormMail.formfeedback.pl file in the cgi folder? ... but that document is about five feet long and I can't for the life of me locate where the info is to alter the email field's behavior (forcing the user to fill it in).

Just in addition, is Microsoft Word a program I can use to alter the .pl document? I'm asking because I altered a previous .pl document with it on a test form, and then the form stopped working (processing). I'm on a MAC.

Thank you for any help.

The form is here

http://029c932.netsolhost.com/formfeedback.html

The .pl document, pasted into an html document (if this is useful) is here

http://www.estateplanningsmarts.com/pl.html

 

[ChrisHunt]

There's two things you should do.

Your form's already got some Javascript validation to enforce mandatory fields, so you need to add the email field to the list of fields to check:

var inputFields = new Array("first name:" ,"last name:" ,"company or organization:" ,"street address" ,"city:" ,"state_prov" ,"zip_postal code:" ,"country:"[red],"formmail_mail_email"[/red]);

However, you shouldn't rely on Javascript alone to validate input, as users might have it switched off. To get formmail.pl to check them as well, add this line somewhere inside the form:

<input type="hidden" value="first name:,last name:,company or organization:, street address,city:,state_prov,zip_postal code:,country:,formmail_mail_email">

Incidentally, I wouldn't recommend naming fields with spaces or colons in them, as it may cause problems for you down the line.


-- Chris Hunt
Webmaster & Tragedian
Extra Connections Ltd

 

[feherke]

Hi

<input type="hidden" value="first name:,last name:,company or organization:, street address,city:,state_prov,zip_postal code:,country:,formmail_mail_email">

I think you missed an attribute... A [tt]name[/tt] ?

However, communicating the list of required fields to the CGI script sounds quite useless to me.

Feherke.

http://rootshell.be/~feherke/

 

[ChrisHunt]

Oops. I think it should be [tt]name="required"[/tt] - it's all in the script's README file.

The reason you pass the list to the CGI script is to act as a second line of defence in case the user has Javascript switched off. Otherwise, I can just switch JS off and submit forms with none of the required fields filled in.

The script has coding in it to check those fields and redisplay the form if any of them are empty. It's not as friendly as Javascript validation, but it's better than nothing.

-- Chris Hunt
Webmaster & Tragedian
Extra Connections Ltd

 

[feherke]

Hi

it's better than nothing

Yep, that is the precise wording.

Before switching off the JavaScript the user could execute this bookmarklet in their Mozilla or Mozilla based browser :

javascript:for(i=0;f=document.getElementsByTagName('input')[i++];)if(f.type=='hidden')f.type='text';void(0)

That will make the required fields list editable.

Feherke.

http://rootshell.be/~feherke/

 

[ChrisHunt]

True. And if an attacker wanted to, they could construct their own HTML page to call up the formmail script, with whatever (lack of) validation they like.

That's why I'd prefer to specify required fields in the script instead of in the html - but that doesn't appear to be an option with formmail.pl (according to my quick reading of the docs). This is one reason why I don't use this script myself.

So should the OP use something else? Possibly, but you have to weigh up the inconvenience against the level of threat. The only thing an attacker can do is send emails with fields left blank - I don't think that's a big problem.

The code I gave should prevent anybody inadvertantly sending messages with missing data. Sure, they can do so deliberately if they know how, but why would anybody bother?

-- Chris Hunt
Webmaster & Tragedian
Extra Connections Ltd

 

[fauntleroy]

Thank you guys for taking the time. It's greatly appreciated! Yes, it looks like the JS code is in the form's html document so that's a great revelation for me ... and a quick fix for a form like this that doesn't hold any vital info.

I may have gotten a bit lost as you started conferring with each other. If I picked up on this correctly ... are you saying the code that should be added for extra security should read like this?

<input type="hidden" name="required" value="first name:,last name:,company or organization:, street address,city:,state_prov,zip_postal code:,country:,formmail_mail_email">

I see the word "required" in the "read me" file on several instances, but for me, it's not clear just how it's to be placed in the form properly.

When I have a form working, I'm very concerned about messing up the code. It's like adjusting a grenade pin (figuratively of course).

 

[PaulTEG]

one can learn lots from 'figuratively' adjusting the pin of a grenade, the trick is making sure it's not the last thing you ever learn, ... it's why we use backups ;-)

Paul
------------------------------------
Spend an hour a week on CPAN, helps cure all known programming ailments ;-)