25 Years of Programming
An open source source for C, C++, OWL, BASIC, MDB, XLS, DOT, and more... 		Home   Projects   Sitemap   Search   Blog   Forum+Chat   About Us   Privacy   Terms of Use   Feedback   FAQ   Images   Services   Payments   Humor   Music  

Convert FrontPage 2003 webbots to plain HTML and CSS - Part 5

The reasons these conversions can be worth doing are given in the Introduction for this series of articles in Part 1, (see above).

How to convert a FrontPage form (SaveResults webbot) to use NMS FormMail instead

What is a FrontPage form?

A form on a web page actually consists of two parts:

  1. The HTML form that's on the web page between <form> and </form> tags.
     
  2. A "forms handler" script (program) on the server. When a user completes the form and clicks the Submit button, their browser issues a call to the handler program, sending the submitted data back to it in the process. The forms handler receives the data, usually does some validity checks, and then sends it to you in an email or saves it to a file, whichever it's been programmed to do.

One of the things that's in the FrontPage Extensions is a forms handler program. When you create a form in FrontPage using Insert > Form, it creates a form whose HTML code specifies that it will use this FPE forms handler. This is why FrontPage forms only work when the FrontPage Extensions are installed.

To convert a FrontPage website to another design program such as Expression Web or Dreamweaver, you have to eliminate dependence on the FP Extensions, so you must change your forms code to use a handler that is not the FrontPage Extensions one.

NMS FormMail is a good choice to use as the replacement.

What is NMS FormMail?

NMS FormMail is a newer rewrite of an old script that was also called FormMail. The NMS version is more secure because it is not vulnerable to injection attacks of email headers or other code and cannot be hijacked to send spam to third parties. Those are common failings of other form mail scripts, including FormMail's earlier incarnation.

[FormMail can only send the data to you in an email. If you want it saved to a file, see the Notes at the bottom of this page.]

NMS FormMail consists of only 1 file, a plain text script writtten in the Perl programming language. Configuring and installing it isn't too difficult, but many people find it intimidating because there are two help files in the download package, and it's hard to know where to begin.

Step-by-step conversion

A) Obtain and configure NMS FormMail

  1. Go to http://nms-cgi.sourceforge.net/scripts.shtml to download the script package. The Compatibility package in zip archive format is the one for most users. It is the first download on the page.
  2. Unzip the files on your computer.
  3. Four plain-text files in the package don't have file extensions (ChangeLog, EXAMPLES, MANIFEST, README). Give them .txt or .doc file extensions (your preference) so you can open them in a text editor such as Notepad, WordPad, or Word.
  4. Open FormMail.pl in a plain text editor such as Notepad. Scroll about 1 page down to the #USER CONFIGURATION SECTION. These few lines are the only ones you customize.
  5. Open README.txt in any editor and scroll down to the CONFIGURATION section so you can refer to it. The configuration settings are described in sufficient detail, one paragraph each.
  6. For each setting, read its description in README, and then change that setting in the script to match what you want.

To augment README, there are some comments below intended to assist with a simple installation for emails going to one webmaster on a shared hosting account. They also give some non-standard, non-obvious settings that give a bit more security, highlighted in yellow.

Notes:

  • In true/false fields, 0 means No/Off/False, 1 means Yes/On/True.
  • It is generally not necessary to have localhost listed in any field.
$DEBUGGING = 0; Set this to 0 when you are finished with initial setup and testing.
$emulate_matts_code= 0; Always use 0.
$secure = 1; Always use 1.
$allow_empty_ref = 1; Allows the form to work when a visitor's browser does not send a referer string, which is common.
$max_recipients = 1; If each form submission should only result in 1 email to you, set this to 1.
$mailprog = '/usr/lib/sendmail -oi -t'; As noted in README, this is server-dependent. Your website's control panel (such as cPanel), in a box labeled "Path to sendmail", might be able to tell you whether to use the command to the left or this common alternative. If one doesn't work, try the other:
$mailprog = '/usr/sbin/sendmail -oi -t';
$postmaster = 'you@yourdomain.com'; Sender of the outgoing emails. In the email headers, you'll see this as the "Return-path:", which can be different from "From:". This will receive any "delivery error" messages.
@referers = qw(yourdomain.com);

@referers = qw(yourdomain.com www.yourdomain.com);

The website, your website, allowed to use the script. Use www. or non-www, however you do your 301 redirection. If you allow both without redirecting, enter both, separated by a space. On shared hosting, include only your website, NOT your IP address (which is shared with other sites that you DON'T want to allow to use the script).
@allow_mail_to = (); Leave this empty. The reason why is explained later.
@recipients = (); Leave this empty, too.
%recipient_alias = (
    'AnyWord' => 'you@yourdomain.com',
    ); 		We're going to use this instead of allow_mail_to. Any email address listed here is automatically allowed. The email address should be the one where you want to receive the form results. AnyWord is its "alias" or nickname. It is used in the form's HTML so the actual email address can be kept secret. When we set up the "fake CAPTCHA" below, AnyWord will be what you tell users to type into the CAPTCHA box.

The example in README shows recipient_alias being used when you want to choose among addresses, but we're using it even though there's only one address.

@valid_ENV = qw(REMOTE_HOST REMOTE_ADDR REMOTE_USER HTTP_USER_AGENT); Environment variables about the visitor who submitted the form, that you might want sent to you in the email. This example includes their IP address (REMOTE_ADDR), operating system and browser info (HTTP_USER_AGENT), and two other fields that usually are not known. This configuration line does not actually cause those fields to be included in the email. For how to do that, see the hidden form field "env_report" in the examples farther down this page.
$locale = '';  
$charset = 'iso-8859-1'; The character encoding of the script's confirmation pages and the emails it sends. For UTF-8 Unicode (international character sets):
$charset = 'UTF-8';
And in the <head> of your web page:
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
And in your form tag, add this attribute:
<form accept-charset="UTF-8" ...>
$date_fmt = '%A, %B %d, %Y at %H:%M:%S'; How to format the date. This example formats it as:
Tuesday, July 31, 2012 at 22:40:34
$style = '/path/yourstyle.css'; Absolute path from your website document root to your CSS style sheet, if any. For example, if you enter: '/style.css', that refers to a style sheet that is at /public_html/style.css. If no style sheet, this should be: $style = '';
$no_content = 0;  
$double_spacing = 0;  
$wrap_text = 0;  
$wrap_style = 1;  
$address_style = 1;  
$send_confirmation_mail = 0;

$confirmation_text = <<'END_OF_CONFIRMATION';
From: you@yourdomain.com
Subject: Your form submission

Thank you for your form submission.

END_OF_CONFIRMATION		 Definitely set this to 0. Do not send a confirmation email to the user. README explains why.

B) Install NMS FormMail

  1. Rename the FormMail.pl file to a name that does not have "form", "mail", or "contact" in it. Some webhosts may disable any script with those words in the name because they attract attacks from spammers and hackers.
  2. Upload the script to your server's /public_html/cgi-bin/ folder.
  3. Carefully set the script's permissions to 755:
    • Go to cPanel > FileManager
    • Navigate to /public_html/cgi-bin/
    • Click on the script's directory entry
    • In the upper right corner, click Change Permissions
    • Click the boxes to match this screenshot:

    Setting script permissions to 755 in cPanel.

    • Click Change.
    • Make sure the permissions to the right of the filename show as 0755.

C) Convert your FrontPage forms

Here is Code View of a somewhat typical FrontPage form except that it has no controls except for two buttons. This form performs two actions: it saves the results to a file and it also sends an email. By converting to NMS FormMail, we're going to lose the file-save functionality:

<form method="POST" action="--WEBBOT-SELF--">

<!--webbot bot="SaveResults" U-File="_private/form_results.txt" S-Format="TEXT/TSV" S-Label-Fields="TRUE" B-Reverse-Chronology="FALSE" S-Email-Format="TEXT/PRE" S-Email-Address="you@yourdomain.com" B-Email-Label-Fields="TRUE" B-Email-Subject-From-Field="FALSE" S-Email-Subject="Form submission" S-Date-Format="%A, %B %d, %Y" S-Time-Format="%I:%M:%S %p" S-Builtin-Fields="REMOTE_NAME REMOTE_USER HTTP_USER_AGENT Date Time" -->

<p>
<!-- This is the body of the form, just two buttons. -->
<input type="submit" value="Submit" name="B1">
<input type="reset" value="Reset" name="B2">
</p>

</form>

To convert this form:

  1. Delete all the webbot code.
  2. Change the <form> tag so it looks like this, but use the new name you gave the script:

<form method="POST" action="/cgi-bin/FormMail.pl">

  1. You can add optional hidden form fields to supply other information or modify the form's behavior. See README.txt > FORM CONFIGURATION for ideas. Here are some useful ones:

<input type="hidden" name="subject" value="Contact form submission">

<input type="hidden" name="return_link_url" value="/ThePageWithTheFormOnIt.html">
<input type="hidden" name="return_link_title" value="Return to previous page...">

<input type="hidden" name="required" value="comments,recipient">

<input type="hidden" name="env_report" value="REMOTE_ADDR,HTTP_USER_AGENT">

<input type="hidden" name="print_blank_fields" value="1">

  1. For ideas about how to further customize the form or its behavior, see the EXAMPLES.txt file that came with the download package. Now that you've gotten this far in the configuration process, you will probably find README and EXAMPLES quite understandable. Take one paragraph at a time and decide if you want the feature it describes.

D) Make a fake CAPTCHA for NMS FormMail

Although FormMail (when properly configured) is very well secured against being hijacked to relay spam to other people, it nonetheless can be used to send spam directly to you. A robot can send submissions directly to it, and you'll receive the resulting emails.

A commonly used defense against these spam submissions is a CAPTCHA, an image with text that humans can read and type into a box but robots can't.

However, FormMail has no CAPTCHA capability built into it.

A common substitute for a CAPTCHA is a text field. You ask users to type a word such as "human" into a box, or to solve a simple problem like "What is two plus two?"

But FormMail also has no ability to do input validation on the custom fields of your form, so it has no way to tell if the correct answer was given. You can do the validation test in the client's browser with JavaScript, but robots don't run JavaScript, so your validation will be useless in the one situation where you need it to work!

The solution is to use FormMail's ability to do data validation on a field where it already does it.

That is why we used an alias email address, but instead of putting it in a hidden form field that is pre-filled by the form, we'll require the user to type it into a box:

For contrast, here is the example from README on how to use recipient_alias:

%recipient_alias = (
    '1' => 'one@your.domain',
    '2' => 'two@your.domain',
    '3' => 'three@your.domain',
    );

In the HTML code for the form, you would then set the recipient with:

<input type="hidden" name="recipient" value="2">

The hidden form code sets the recipient by using the alias of 2, which is translated inside the script to two@your.domain.

To turn this into a simple CAPTCHA, make the recipient input visible, not hidden, and require your human user to enter it into a text box. Tell them what to enter. In this example, it is 2. Here is the code for the input box:

<p>Please type 2 in this box. Otherwise, the form submission will fail and you will need to use your Back button to return here and try again:

<input type="text" name="recipient" size="20">
</p>

The script does validate this data. The text entered into recipient must translate to a legitimate recipient that the script is configured to allow. If the user leaves the field blank or enters an incorrect value, they'll get an error screen. A human user can press the Back button and try again, but a robot probably won't bother to do that.

This isn't foolproof. A clever robot can determine the correct value by scanning the HTML for clues. If that fails, a human user can read your form and program a robot to repeatedly enter the correct value in the box. However:

  1. Human supervision is uncommon because it's a waste of a person's time. There are plenty of insecure contact forms in the world to exploit automatically without human oversight.
  2. Spammers test their form mail exploits by trying to send emails to themselves. When they receive an email, they know they've found a vulnerable form that can be tricked into sending emails to others. Your form will never send them an email, so they will give up and move on.
  3. Although you are defenseless against a smart robot, most of these spambots are not smart, so you're protected against most of them.
  4. If a robot or human spammer does figure out what to enter in the box, all you need to do is change the alias in two places: in your FormMail.pl script and in your form.
  5. The worst that can happen is that only you, no one else, will get spam submissions. That makes your form an unattractive target for any spammer who is familiar with NMS FormMail.

As an alternative to the text, you can create an image containing the correct text to type into the box (in this case, an image showing the numeral "2"), and display that image in your form. A robot cannot read the image as easily as it can read the text in your HTML. That makes this closer to a real CAPTCHA, except that this is static and has no variety.

My Feedback page has an example of a form similar to the one described in this article, including the use of an image to display the correct answer. To see its "inner workings", you can View Source.

Notes:

  • If you want the submitted data saved to a file on your server, you need NMS TFMail (tfmail.zip near the bottom of the SourceForge page). The installation for that package is complicated enough that you might decide emailing the results instead isn't so bad after all. 

You can comment or ask questions in the discussion forum.

 

Valid HTML 4.01 Transitional
Yahoo! Search
Search the web Search this site
Valid CSS

Copyright ©2012 Steven Whitney. Last modified Wed 08/01/2012 03:53:26 -0700.