Form Security
Permalink
Hello There,
I'm looking for a form plugin that doesn't save the data anywhere in database or dashboard of concrete5. This is because of security issue that the client doesnt want to save the data anyway but only to email them directly. Can any one send me a link of such plugin if existed?
Thanks so much
Aida
I'm looking for a form plugin that doesn't save the data anywhere in database or dashboard of concrete5. This is because of security issue that the client doesnt want to save the data anyway but only to email them directly. Can any one send me a link of such plugin if existed?
Thanks so much
Aida
Hi Aida,
May be this help you.
https://github.com/jordanlev/c5_custom_contact_form...
If still problem feel free to contact with me.
Hemant
May be this help you.
https://github.com/jordanlev/c5_custom_contact_form...
If still problem feel free to contact with me.
Hemant
The security requirement has further implications. If you don't save any of the data, I expect you still want it to be sent as an email. But emails can be logged, both in c5 and in the mail server. So you also need to ensure that email logging is disabled in c5 and on your host's mail server.
You could use ProForms event handler proforms_item_entry sitewide event and simply remove any data after it is submitted.
I should add this though: "security" so far as data goes related to C5's attribute system is all but built in already.
So, for example, ProForms is a custom object type with attributes as questions. Unlike most form addons, when a form is submitted, there is no "table" of any kind that has a one-for-one value pair of question and answers.
The response answers are connected via any number of table keys that link to other table keys that link to other table keys that have values.
The only efficient way to really get optimized data from C5's attribute system is through it's model architecture php files or direct access to your db.
Of which, if some hacker has access to either of these, then they would have even more access to redirect that data from any simple email form than they would with any addon code being forced to understand the full architecture of addons and core MVC design patters.
In other words - your clients concern is still a concern with or without using any addon.
What their ACTUAL concern is this: "what if someone gets access to my server php and sql data???"
To which if that happens...a hokey email php file is the easiest to rip off of all options in fact. Although they would not have access to past entries, they maliciously could get that data for any and all future responses without you even knowing about it.
I implore you to go grab a copy of ProForms...submit some entries and then go into your db and see how long it takes you to trace just one answer from one form....let alone all answers to all forms. It will be immediately clear what I am getting at here.
But again, you could just simply use the "example_proforms_extend" free package available and simply do a $form->delete(); within it.
That event handler fires after email goes out. So you should be good.
ChadStrat
I should add this though: "security" so far as data goes related to C5's attribute system is all but built in already.
So, for example, ProForms is a custom object type with attributes as questions. Unlike most form addons, when a form is submitted, there is no "table" of any kind that has a one-for-one value pair of question and answers.
The response answers are connected via any number of table keys that link to other table keys that link to other table keys that have values.
The only efficient way to really get optimized data from C5's attribute system is through it's model architecture php files or direct access to your db.
Of which, if some hacker has access to either of these, then they would have even more access to redirect that data from any simple email form than they would with any addon code being forced to understand the full architecture of addons and core MVC design patters.
In other words - your clients concern is still a concern with or without using any addon.
What their ACTUAL concern is this: "what if someone gets access to my server php and sql data???"
To which if that happens...a hokey email php file is the easiest to rip off of all options in fact. Although they would not have access to past entries, they maliciously could get that data for any and all future responses without you even knowing about it.
I implore you to go grab a copy of ProForms...submit some entries and then go into your db and see how long it takes you to trace just one answer from one form....let alone all answers to all forms. It will be immediately clear what I am getting at here.
But again, you could just simply use the "example_proforms_extend" free package available and simply do a $form->delete(); within it.
That event handler fires after email goes out. So you should be good.
ChadStrat
Hello,
Thanks so much for putting time and explain ... this is really useful I think this should work. I'll give this a try.
Thanks again
Aida
Thanks so much for putting time and explain ... this is really useful I think this should work. I'll give this a try.
Thanks again
Aida
—
Sent from Mailbox for iPad