hey_david has asked for the wisdom of the Perl Monks concerning the following question:

I was planning on writing my own script to do automated form processing on a web-hosting server. The kind of setup where a client only needs to know how to create an HTML form, and perhaps specify some field constraints and an email address in a config file. The script would validate the data from each submission and send it in an email and/or append a record in a database file.

But surely this has been done before. For example, I just discovered one solution called BNBForm.

If you have any experience with this program or any like it, I'd certainly value your thoughts.

Thanks,

David

(PS If you think I should be posting this somewhere else, I'd appreciate any suggestions where.)

Replies are listed 'Best First'.
Re: Automated Form Processing
by nutshell (Beadle) on Sep 30, 2002 at 02:53 UTC
    If your solution (BNBForm) does what you want then what's wrong with using it? The subject matter here is simple enough I believe I'd work nicely :)
[reply]
      Just picking up on this, there are a couple of reasons why I wouldn't use the BNBForm ...

      • This script uses a hand-rolled CGI parameter parsing routine which, while not as poorly written as that in some scripts, is still vunerable to exploitation - For a further discussion of this, see the excellent discussion piece use CGI or die; by Ovid.
      • This script allows the email address of the receipient to be specified from a form field, allowing the script to be hijacked for the purposes of harassing email or unsolicited commercial email.
      • This script relies upon the HTTP_REFERER environment variable to validate the submitting web site domain - This can be faked such that in combination with the point about, provide little security from hijacking of the script for maligned means.

      Instead, I would recommend the FormMail script from the NMS Archive - This collection of scripts have been written with security and interoperability at the foremost of concerns and undergo a great deal of peer review.

       

      perl -e 'print+unpack("N",pack("B32","00000000000000000000000111000100")),"\n"'

[reply]
[d/l]
        Ah, yes - I guess I should a little bit more research before replying :)

        Although I probably would code this myself, I'm going to suggest using Form Mail (mainly because I've used it in the past).

[reply]
        Thanks for your replies! I particularly appreciated the points on security, which I would have definitely overlooked in rolling my own.

        FormMail does look good, but I do need a script that can be configured to output to either email or data files or both. (I guess I could've made that more clear in my original question.)

        Again, any thoughts?

        Thanks,

        David

[reply]

Back to Seekers of Perl Wisdom