Using Javascript Form

  vinnyo123 18:46 03 Dec 2004

I am currently using a small javascript form on a few of my sites for customers to fill out and submit.The submit function calls the clients E-mail software and sends it to the desired e-mail address with the objects listed and whatever the clients posted in form.
I need to encrypt the Pipe traffic for one site as customers are filling in some info needed to be encrypted.I was looking into SSL on my server but not to happy with the prices for a certificate. Was wondering if anyone could give some suggestions on how I can get this traffic encrypted from clients PC (via My Site, javascript form ,using clients e-mail software running in background)?

Thanks in advance.

  Taran 00:18 04 Dec 2004

It would help to know the nature of the information being handled and why it is necessary to encrypt it.

I am not questioning your motives - it is merely that there are ways and means of handling data from form submissions and most of them don't need encryption, although it can be desirable if certain information is hidden.

You can do a great deal in security terms by using alternative methods, but this would depend entirely on what you want to handle and how/why you want it protected.

  Forum Editor 08:18 04 Dec 2004

Surely, if you are asking people to submit information that is sensitive enough to need encryption you should be providing them with the reassurance of a secure server shouldn't you?

I certainly wouldn't fill in any form that asked for such information unless it was on an https page.

  vinnyo123 13:16 04 Dec 2004

Agreeded put an SSL certificate on server and thats that.Information is going to be house addresses and phone numbers.


  vinnyo123 13:52 04 Dec 2004

Ok back again,now that I have SSL on this page with the JAVA form.I understand every thing transfered from there would be encrypted,lets say via PHP, CGI, FTP ETC. Now if my form (JAVASCRIPT) calls for clients E-mail software and inserts form and sends it via SMTP, wouldn't SSL not be encrypting traffic once SMTP takes over?

Just can't get the OSI layers in this one(trying to figure this one out) ?

thanks again

  vinnyo123 02:40 05 Dec 2004

Ok would I need for TLS or STARTTLS through E-mail clients and servers to take over?

  Taran 20:38 05 Dec 2004

You're losing me completely with talk of your form calling your clients email software.

Any mailto:[email protected] link will open up an email program.

The entire point to a web form is to handle submitted data, in a format controlled and set up by you, and without the need for an email client (program) of any description on the site visitors machine.

User registration, authentication and similar can all be handled using cookies or sessions (preferably both) and, for the life of me, I can't understand why an address and/or phone number would need to be securely transmittted, unless you have some very unusual requirements. It seems like a hammer and nut situation, but then I don't have all the details and so that may be an unfair comment.

JavaScript is a bit of a thorny issue as well. Unless you're using it to pass a variable to a dynamic page I'd avoid it where ever possible. Some would disagree, but many browsers fall flat with complex JavaScripts, some people disable it for security reasons, and anything processed by the web browser, no matter how cleverly encrypted, is still potentially far more open to security holes than something processed by the web server.

Ho hum...

Something for you to think about:

<FORM ACTION="https : //ssl. yourdomain. com/~pathway/cgi/mail-secure.vws?webmaster" METHOD="POST">

Then include a hidden form field along the lines of:

<INPUT NAME="next-url" TYPE=hidden VALUE="https : //ssl. yourdomain. com/~pathway/sslthanks.html">

That gives you the form handler location via the certificate (without getting into the technicalities) and sends the form submitter the the 'thank you' page

The actual code differs from web server/host and they will be able to help you set things up on your particular web account.

I still have my doubts about the necessity of any form of secure transfer if a domestic address and telephone number is all you plan to have sent to you.


  vinnyo123 21:50 05 Dec 2004

OK understand where your coming from. The Javascript is using the mailto tags which calls clients e-mail software and inserts the text from the form and emails it out.
Heres what I am trying to do.I set up a nice little Web Site for A pizzeria and I would like to test some online ordering for them.Right now the set up is working great, customer fills out form and it e-mails order to pizzeria and they can get name address and phone number when they receive the e-mail on PC set up to receive mail.Now I am looking down the road for future needs like possibly credit card numbers and more likely a shopping cart.So I am dabling in SSL,I have set up server with a SSL certificate and can get a secure session but I loose this when I use the mailto tags.So i am looking for away around this but Server is not set up to run PHP and not sure about CGI or any other language that supports Forms.

Hope this makes some sense?

Thanks again

  Taran 22:40 05 Dec 2004

OK, now we're getting into a large arena with no small answers.

If your server does not support PHP or ASP, I'd consider changing web host for a start. Both languages offer such a vast scope for data handling and both lend themselves very well to small-scale commerce operations.

If we use PHP and MySQL as a base to operate from, this is a very brief overview:

For your needs, you don't need to store credit card details since most orders will be one-oof payments and, if you take my advice, you won't ever store CC details.

You should think along the lines of accepting them and then forwarding them direct to your transaction processing gateway for approval. Storing CC details is a minor nightmare and requires very, very careful thought and preparation, as well as a healthy degree of paranioa.

There are various ways of using encryption within PHP, but if we assume that you use one of them, you 'send' the form fields to your secure_form_handler.php file on the web server.

The secure_form_handler.php file will encrypt the form fields and without the necessary key to decrypt them it will look like so much junk, along these lines:





Basically, the message is sent from the web form to your web server script which encrypts it and passes it onto your SMTP handler. SMTP sends it to the destination mail server, and when the message is downloaded via POP or IMAP to an inbox it is decrypted using an appropriate key.

Obviously the above is an encryted message to someone, and not a useful solution for an ordering system, but it loosely illustrates the concepts involved.

You can send through SSL as well, and if you want to send to a payment processor they will supply the relevant code for you to use, rather than have you bang your head off a wall.

Real time CC processing can be expensive - you have been warned.

SSL is a huge topic. Have a look through your web hosts help and support files, and consider changing hosts to take advantage of CGI and PHP.

There are any amount of excellent shopping scripts freely available and, as I've said, your host should be able to assist with SSL.

Plain vanilla HTML just won't cut it though. Sooner or later you're going to have to get into data management, so make it sooner rather than waiting until you absolutely have to do it.

Assuming that you still want to 'roll you own' solution, I suggest that you consider a PHP and MySQL or ASP and Access.

  vinnyo123 00:04 06 Dec 2004

Understood, I fully understand the scope of this and like you said sooner is better to jump in.

Ok there is another situation: I have been avoiding PHP and CGI and ASP because My server is actually running on my site. I been running and administrationg it for about a year now. It originally started as a learning process with Server and all its configurations and everything else that goes with it.I also ran IIS lockdown tool and remember not enabling these features also tested to see if PHP was able to run on server and it is not.So now I have to figure out which is the easiest set to get going like you said ASP and Access or PHP and MySQL . The first seems least expensive but not sure which is more secure.

Again I thankyou for your time and opinions.Always more and more to learn in the field LOL.
Also as for SSL I have a certificate and it is installed and running as https site if I like.

  Forum Editor 00:22 06 Dec 2004

you want to head towards online Cardholder-not-present transactions you're entering a world where there are ready-made solutions. You don't need to start writing anything yourself, because you can buy a tried and tested solution off the shelf.

You'll need an online merchant account with your bank to start with, and that's not always a walk in the park unless you already have an offline mercahnt status with them. most of the banks use what are called development partners. These companies are the buffer between an online trader and the bank itself, and all payments go via them. Two of the better known development partners are WorldPay and Streamline.

All this can get quite complicated and quite expensive, and there are cheaper third-party payment processors for the smaller business. These companies handle all the payment processing for you, and charge a fee per transaction, based on the transaction total for a given period. PayPal is one of the better-known third party processors, and many thousands of small online businesses use them.

If you are serious about the e-commerce aspects of your project my advice is to forget all about developing a solution yourself, and start checking out what's already available and working for tens of thousands of others. Online order submission is a piece of cake with any of the commonly used shopping cart applications.

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

OnePlus 5 review

See the work of famous artists playing with toys

iPad Pro 10.5in (2017) review

Comment faire une capture d’écran sur un Mac ?