1.

Solve : HTML Form Query?

Answer»

Code: [Select]<form name="contact" method="post" action="http://.../FormMail.cgi"><BR>First Name: <input type="text" name="First Name" size="18" onBlur="MM_validateForm('Email','','RisEmail');return document.MM_returnValue">

RATING (out of 5):<select name="querytype">
<option value="select">Please select...</option>
<option value="1">1</option>
<option value="2">2</option>
<option value="3">3</option>
<option value="4">4</option>
<option value="5">5</option>
</select><BR>
Your Review: <textarea name="Your Review" cols="40" rows="3"></textarea>
            <input type="submit" name="Submit" value="Submit">
               <input type="hidden" name="recipient" value="*MY EMAIL ADDRESS*">
      <input type="hidden" name="redirect" value="*REDIRECT SITE URL*">
      <input type="hidden" name="subject" value="*SUBJECT*">
    </form>


Hi all!

I am after some help with my HTML Form... I want to know if it is possible to either make the Email Subject the Meta Title or the URL of the PAGE the form is being submitted from or include the Title or URL in the email like a hidden field - as I will have the same (code) form on several pages via my website's "skin" and I want to avoid the (painful) manual task of putting the code on each page individually.

Thanks heaps Oh dear, oh my.

There are just so many things that bother me about this sample of code.
I'll get to them after I answer your question so that you can choose, if you like, to ignore them (*sigh*).

Code: [Select]<script language="javascript">
     document.contact.subject.value = document.title;
</script>

Very similarly:

Code: [Select]<script language="javascript">
     document.contact.subject.value = document.URL;
</script>

Now, to the things that need to be fixed:

You're using CGI to process your form, but you're hard-coding your email address, subject, and redirect URL into the form, where ANYONE can HIJACK them.
Why aren't you adding this information on the server where no one can mess with it and no one can see it?

It certainly doesn't appear that you're doing any validation other than through Javascript, which can be avoided by simply...wait for it.....turning Javascript off.  Again, you're processing the email form with a script, so why aren't you doing validation there?  (I'm assuming that you aren't, forgive me if I'm wrong.  There's no error cases hidden in the HTML, so I assumed.)

And the most important question: if you're using CGI to process the email, why can't you just pull the referring URL and add it to the subject?

-rockerest


Discussion

No Comment Found

Related InterviewSolutions