SitePoint Sponsor

User Tag List

Results 1 to 13 of 13
  1. #1
    SitePoint Enthusiast SanSui's Avatar
    Join Date
    Jul 2003
    Location
    Virginia
    Posts
    84
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Secure Form Handling - need direction

    I need to have some secure forms for taking personal information + credit card numbers.

    The results will be sent to two different email addresses, but I'm not sure about security concerns. How do I make a form secure, both in transmission to the server and through the email?

    I assume transmitting to the server must use SSL, which I know little about (server runs on apache btw), and that the resulting transmission by email must be encrypted.

    Any direction would be greatly appreciated.

  2. #2
    ********* Genius Mike's Avatar
    Join Date
    Apr 2001
    Location
    Canada
    Posts
    5,458
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Yes, you'd need SSL. RackShack.net offers SSL certificates for $25, but your host might already offer shared SSL, so ask them.

    Use something like PHP to process the form, don't email the form. Email is never secure.
    Mike
    It's not who I am underneath, but what I do that defines me.

  3. #3
    SitePoint Enthusiast SanSui's Avatar
    Join Date
    Jul 2003
    Location
    Virginia
    Posts
    84
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I checked my server plan features and they do not include any shared cost SSL certificates. Cheapest option there was Thawte at 125 a year - which is still a bit much for the non-profit organization this is for.

    I had not intended to use the form to access email directly - I want a formhandler of some sort that will process it, encrypt it, and *then* email it. I don't have the time or experience to write my own code in this situation (I am primarily a designer), so I'm looking for a pre-existing one I can just configure and drop in.

    Through searching I've seen a lot of old formhandlers that I'm not confident are secure, as well as plenty that don't do encryption, so I figure someone here must have a good idea on the matter =)

  4. #4
    SitePoint Enthusiast SanSui's Avatar
    Join Date
    Jul 2003
    Location
    Virginia
    Posts
    84
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    What do people think about third party form handlers, like at www.hform.com ?

    They offer SSL and encrypted email at a very low price.... only issue being whether they are trustworthy.

  5. #5
    SitePoint Enthusiast SanSui's Avatar
    Join Date
    Jul 2003
    Location
    Virginia
    Posts
    84
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    One last question - can I use SSL without a SSL certificate?

  6. #6
    ********* Genius Mike's Avatar
    Join Date
    Apr 2001
    Location
    Canada
    Posts
    5,458
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by SanSui
    One last question - can I use SSL without a SSL certificate?

    Yes, but browsers will prompt that the site's certificate is invalid, and ask the user if they want to procede. This may turn visitors away. RackShack has SSL for $25 a year, and no, you dont need to have an RS server.

    Ultimatly it's your chopice, but I dont recommend you take CC numbers on your site, anless you send them directly to PayPal or some other merchant account, because whether you store them on your site or email them, you would be held liable for it if it was intercepted by somebody.

    If you encrypt the CC number, it can be decrypted, which is no good.

    What would you be using the CC numbers for, if you don't mind me asking?
    Mike
    It's not who I am underneath, but what I do that defines me.

  7. #7
    SitePoint Enthusiast SanSui's Avatar
    Join Date
    Jul 2003
    Location
    Virginia
    Posts
    84
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    No, I don't mind. The secure form would be used for a Red Cross chapter that wants to be able to take donations and course registrations (First Aid courses, etc) online. Low volume of transactions, cheapest solution needed

    They've actually already been using a form for donations... that uses neither SSL nor encryption for the email. They were unaware of how insecure that method was

    I'm not averse to recommending paypal to them, do you think that would be the best solution?

  8. #8
    ********* Genius Mike's Avatar
    Join Date
    Apr 2001
    Location
    Canada
    Posts
    5,458
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    I would recommend PayPal for donations, yes.
    Mike
    It's not who I am underneath, but what I do that defines me.

  9. #9
    What a twist! Kings's Avatar
    Join Date
    Jul 2002
    Location
    The Netherlands
    Posts
    954
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by naramation
    I would recommend PayPal for donations, yes.
    I agree PayPal is the easiest option, and you'll be able to set it up within 5 minutes (or less).
    Dennis Pallett - NoCertainty - My Personal Weblog
    The Web Network: ASPit | PHPit | WebDev-Articles
    Blogs: TalkFones | Holidayzer | PHPit Blog

  10. #10
    SitePoint Enthusiast SanSui's Avatar
    Join Date
    Jul 2003
    Location
    Virginia
    Posts
    84
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Alright, thanks guys... one last question, I swear

    If I get them to do the Paypal route, how does Paypal process the form data?

    I don't have a paypal account and have certainly never set up some forms to interface with a paypal account - does paypal store the form data for a transaction in the transaction history? Is it emailed to the account holder? This wouldn't be just for donations, but also for registering for first aid classes, so each transaction would need to record the input values of the form.

  11. #11
    ********* Genius Mike's Avatar
    Join Date
    Apr 2001
    Location
    Canada
    Posts
    5,458
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    PayPal only deals with the money side of things, you'd have to make a 2 step form for donations if you record the donators name and info.
    Mike
    It's not who I am underneath, but what I do that defines me.

  12. #12
    SitePoint Member
    Join Date
    Jul 2004
    Location
    london
    Posts
    1
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Secure forms

    Hi,
    I have a simillar question that I'm wondering if anyone can help with - we also need to collect data that needs to be secure via a form. We have SSL - but does anyone know of any scripts that can send it securely from the server to us? We're on Apache - so ASPEncrypt is out. I don't think PayPal is going to be suitable as we need a wide range of different sensitive data - not just payments.
    I'm really stuck. Any suggestions or advice would be wonderful...
    Huge thanks, Ellie

  13. #13
    SitePoint Member Smurfs Are Tasty's Avatar
    Join Date
    Aug 2004
    Location
    Nashville
    Posts
    20
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    I Agree.

    I Agree.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •