Register

If this is your first visit, please click the Sign Up now button to begin the process of creating your account so you can begin posting on our forums! The Sign Up process will only take up about a minute of two of your time.

Results 1 to 4 of 4
Like Tree1Likes
  • 1 Post By TheGAME1264

Thread: Is it a good idea to write form submissions to a DB?

  1. #1
    Senior Member RDesignista's Avatar
    Join Date
    Feb 2012
    Location
    Coconut Tree City
    Posts
    822
    Member #
    30921
    Liked
    123 times

    Is it a good idea to write form submissions to a DB?

    Hi everyone,

    So, I had a bit of a red alert this morning: we realized that the client's form was not reaching their Y*h*o business email. This is because the business email account has a super filter that doesn't allow for any server emails (I guess). I know this because when I changed the form-to-address to mine or yahoo, it worked fine.

    Yikes. Hope I don't get dropped by my client or worse - sued.

    The form is in PHP and using PHP mail function. Works fine, but I guess super filters will take it as SPAM. No, take that back, it doesn't even register it as SPAM - it simply rejects it and doesn't even reach the SPAM folder.

    So, this kind of exposed to me an area where I did not cover - I have files and DB backed up for all my clients, but not form submissions.

    So I was thinking how can I prevent this from happening again. Of course, the first idea is to verify that the emails go through. Duh. The second idea was to make multiple CC s to act like a backup (if one email doesn't work, you can open the other). The third is to write submissions to the website database.

    The form itself has a bunch of personal information fields. The form is secured, but I'm thinking writing to a DB would open up liabilities for my client if the db gets leaked. It also opens up the possibility that I could eavesdrop on the info since I have access to the DB.

    Or is there a smarter way to send PHP forms so that email filters don't block them?


    So, what do you guys think? I'd love to hear your thoughts. I feel like this was a grave oversight from my end and I'd like to learn from it.
    Last edited by RDesignista; Sep 25th, 2013 at 03:12 AM.

  2.  

  3. #2
    Unpaid WDF Intern TheGAME1264's Avatar
    Join Date
    Dec 2002
    Location
    Not from USA
    Posts
    14,485
    Member #
    425
    Liked
    2783 times
    It's not a grave oversight at all. It's Yahoo!'s incredible bastardization of spam filters. I've seen the same message sent to the same email address go through the first time, get put in spam the second, not make it to the user at all the third time, and go through the fourth and fifth. It's messed up, and always has been.

    One thing that you can do to get around this is to install a mail server that will utilize DKIM to digitally sign your message. They're difficult filters to set up, but I've found that DKIM-signed messages get through a whole lot more often and Yahoo! does consider it a "best practice". So there's that option.

    Make sure your mail server forces users to authenticate to it before you can send emails using it. A surprising number of mail servers....well, don't. As a result, they often get abused by spammers and other people.

    You'll also want to make sure you're sending an email from an email account on the same domain that is being used to send the email. So if you're using a.com/send-an-email.php to send an email, you want an a.com email address as the "from" address. If you're going to build something that necessitates a response by the recipient, use the Reply-To property to get the email to the original person that filled out the form.

    What type of personally identifiable info is in the form, though? If you're sending forms via email, that's not very secure either. The DB would be the better way to go about it. The same possibility of you "eavesdropping on the info" exists as well...all you'd need to do is add yourself as a BCC recipient of the scripted email and your client would probably never be any the wiser. I do this myself, but not to spy on clients; I just want to make sure their email forms are working.

    EDIT: I do tell my clients this as well. So there's no spying on my part.
    bleau canon likes this.
    If I've helped you out in any way, please pay it forward. My wife and I are walking for Autism Speaks. Please donate, and thanks.

    If someone helped you out, be sure to "Like" their post and/or help them in kind. The "Like" link is on the bottom right of each post, beside the "Share" link.

    My stuff (well, some of it): My bowling alley site | Canadian Postal Code Info (beta)

  4. #3
    Senior Member RDesignista's Avatar
    Join Date
    Feb 2012
    Location
    Coconut Tree City
    Posts
    822
    Member #
    30921
    Liked
    123 times
    Thanks for the tips. I knew there was a next level of complication regarding servers and emails and SMTP and validation... but the PHP form I set up was working using gm*il, so I didn't bother to refine my skill there.

    It's a form for a loan request, so it's not mother's maiden name or social security number... but it's still private information and thus we have a private SSL set up. And yes, I realized that I could spy on the information very easily in numerous ways without the client ever knowing. It'd be too easy. Trust is pretty important in our industry. So many stories of shady web guys I've heard since starting work. So I try to gain trust in whatever ways I can (my picture on my website, detailed contracts, meeting face to face). And conversely, I've thought about if in the future I needed to partner up or hire someone, how hard it would be for me to trust them with any login credentials.

    PS: GAME, instead of posting a thread, should I just PM you personally the next time I have a question since you're always the only person to answer? Hahah....

  5. #4
    Unpaid WDF Intern TheGAME1264's Avatar
    Join Date
    Dec 2002
    Location
    Not from USA
    Posts
    14,485
    Member #
    425
    Liked
    2783 times
    heh Nah, this is something WZ could handle as well.

    In this case, you definitely don't want that going to email. Having the private SSL only goes so far...the email itself sits unencrypted until it's downloaded (and depending on how the client's email client is configured, possibly after it's downloaded as well). I wouldn't even send the information via email...I'd write it to database, use a two-way encryption algorithm such as Triple DES to encrypt the data (yes, it's "insecure" because there are attacks for it, but for what you're doing a unique key and IV will generally stop most hackers...there's no point bothering if there's little to be gained), and send a notification to the user saying "a new application has been received" with a link to the application (you probably should password protect this section as well). I would help you with the Triple DES thing, but I only know how to do it in .NET, not PHP.

    If you're using an SSL, you have to figure that at least some of the information is sensitive enough to look at encrypting it...otherwise, there wouldn't be a reason to use an SSL.
    If I've helped you out in any way, please pay it forward. My wife and I are walking for Autism Speaks. Please donate, and thanks.

    If someone helped you out, be sure to "Like" their post and/or help them in kind. The "Like" link is on the bottom right of each post, beside the "Share" link.

    My stuff (well, some of it): My bowling alley site | Canadian Postal Code Info (beta)


Remove Ads

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
All times are GMT -6. The time now is 01:58 AM.
Powered by vBulletin® Version 4.2.3
Copyright © 2019 vBulletin Solutions, Inc. All rights reserved.
vBulletin Skin By: PurevB.com