I've recently found a web site where the email address is included within hidden tags in a html form. Is this a bad practice and why other than the stealing of mail addresses?
It's a bad practice.
A malicious user can use a tool like Firebug to change the hidden field's content.
He can then use your form to spam or send anonymous emails, as an example.
It is an alternative in using session to store the email value for a certain purpose.
Assumably, a field called "to" contains the email address of the organization being contacted. Since this doesn't vary by customer, it shouldn't be part of the form; it should be part of the form's target script.
Even if the "to" email is somewhat variable (say a limited list of webmaster, technical service, sales, complaints dept, etc.), the form should not contain the target email. It should contain a dropdown send-to list where the option values are integers that are used by the script to determine which email address is appropriate. Aside from security concerns, an option list like the one described is easily generated from an array. So changes to your email list are easy to make.
Keeping the email address off the contact form helps prevent misappropriation of your form for spamming. And it also keeps your email address(es) private from webscrapers.
It's just a way of keeping track of the email address that must be required somewhere. Since they can't figure out by themselves your email address, I suppose that you entered it in the system before, so I wouldn't call that stealing.
As for practices, I'm not a big fan of hidden fields since they are so easy to change, but it can do the job if needed. Of course you need to have all sort of data validation on the backend treat hidden fields as if they were user inputs.
Where what email address?
The email address the form will get submitted to? It isn't very clean, but there is nothing terrible about it. (If the server side form handler doesn't check the email address against a white list then it is an invitation to spam relay, and that is terrible).
The email address the user entered on the previous page? No problems, this is just maintaining state, and it can't be stolen - only the user who entered it in the first place will get to see it. (This half of the answer removed in response to comments)
Related
I'm trying to create a survey email with two follow-ups reminding the recipient to complete the survey. The survey link is anonymous and meant to be shared among the recipient's peers. The survey is on Qualtrics.
My issue is this - I don't want the follow-ups to go to anyone who has already completed the survey. But, I want them to feel like they're maintaining a sense of anonymity.
So, the goal is to create a link that, once clicked, collects the email address of the person who completed the survey so they can be unsubscribed from any follow-ups. What's the best way to do this?
If an audience is already known by their email address or id. You can use hidden variables in the URL. This data can be captured on submission. By this, you can follow up to the non completed users.
The requirements you state in your question are contradictory. You can have either:
An anonymous link that recipients can share with their peers, which contains at most group-level information about the respondents, or
Personalized links that are private to an individual respondent, which contain individual-level information about the respondents (including their email address).
(The way you can embed group-level information into an anonymous link is to append a URL parameter to the end. For example, if you have two mailing lists that you're using for the survey distribution, you might have one version of your link that ends with "?MailingList=1" and another where "MailingList=2".)
If you want the survey to be truly anonymous and shareable with peers, you should simply include language to the effect of "if you have not already taken the survey..." in any reminder communications.
If "fewer annoying reminders" is a more important goal than anonymity and the ability for respondents to share via email forwarding, then personalized links are the way to go.
I have two whitelisted domains in my organization, and I have a form that should not be fillable by any user in one of those domains. The form automatically collects the full address of the user. So... anybody#domain1.com should be able to open the form, fill it out, and submit it. everyone#domain2.com should be blocked in some way from filling and sending the form. Remember, they're not entering an e-mail address; the address is simply auto-filled via normal GForm rules.
I'm starting to look into using Google script to do this somehow, but am unfamiliar with it - thought dropping a question here while I look would be beneficial.
I'd like to know if the following is actually possible:
A mailto link that does not contain an email address, but somehow auto populates the TO: field with the email of the original sender.
For example:
"a href="mailto:ORIGINALSENDER?subject=UNSUBSCRIBE&body=I would like to unsubscribe from future emails">Click here to send an unsubscribe email /a"
Is this possible without having to specify an email address in the link itself? Is there a class or function i can call to autopopulate the To: field?
The reason i ask is we send out curated email templates to individual customers and they are sent via a specific system. This system does not have an unsubscribe function, unfortunately. I am not able to use or suggest a system that does as i am but a lowly cog in the corporate machine.
In a word, no, not dynamically in an email that I'm aware of. Are you sending from the same email address each time? Can you set up an additional email address to handle unsubscribes and just have that hardcoded? (i.e. unsubscribe#yourdomain.com and have that monitored)
If you're using different email addresses, then consider replacing 'click here to unsubscribe' with something to the effect of 'to unsubscribe, reply to this email with unsubscribe in the subject line'
Lastly, making a recommendation and giving a good argument for using a system that better suits your requirements is a first step towards being more than a lowly cog in the corporate machine :)
I have a small ecommerce business and from time to time a customer will say that they never ordered the item and I am forced to refund their money due to lack of any confirmation from the customer as to his actually placing the order.
I would like to add either an hmtl button or any sort of tool to the emails that i sent you with the customer's receipt. The customer will get the email with his receipt and also within the email will be a button ("I approve This Transaction") for him to click on that will send me back a confirmation email.
Please advise.
Thanks,
Don
There are 2 ways to do this.
With a mailto: link, this would open the users default email client where they would have to send the email as an extra step.
URL parameter in a normal href/button link (ie: www.yoursite.com/yourpage.php?email=their#email.com). You would link to a webpage (yourpage.php) that would pass that URL parameter (in this example "email", but can be any other info you pass through) you can then parse that URL parameter in your webpage and have it email you automatically based on that info.
Option 2 is the way to go, but requires some coding knowledge (PHP for example). Also, in order to set up unique URL parameters, you'll need a system that uses merge tags to create unique values for each email you send. I'd suggest you should use a transactional email service provider for this.
Does it make any sense to include a captcha when registration already requires email confirmation? any added benefit or just a waste of effort?
Neither will prevent current bots from getting into your system if that is your reason for doing these. Usually email confirmation is done to validate that the user gave a correct email address if you have need to contact them (or spam them). I don't see the value in adding a captcha to that.