9.4. Using Email to Collect Form Data
It is increasingly common to find authors who have no access to a web server other than to upload their documents. Consequently, they have no ability to create or manage CGI programs. In fact, some Internet Service Providers (ISPs), particularly those hosting space for hundreds or even thousands of sites, typically disable CGI services to limit their server's processing load or as a security precaution.
If you are working with one of the many sites where you cannot get a form processed to save your life, all is not lost: you can use a mailto URL as the value of the form's action attribute. The latest browsers automatically will email the various form parameters and values to the address supplied in the URL. The recipient of the mail can then process the form and take action accordingly.
By substituting the following for the <form> tag in our previous example:
<form method=POST action="mailto:firstname.lastname@example.org" enctype="text/plain" onSubmit="window.alert('This form is being sent by email, even though it may not appear that anything has happened...')">
Figure 9-2. A warning about a mailto form submission
The body of the resulting emailed form message looks something like this:
name=wild bill sex=M income=Under $25,000
9.4.1. Problems with Email Forms
If you choose to use either mailto or a form-to-email facility, there are several problems you may have to deal with:
The last problem deserves additional explanation. Some web providers support special "secure" web servers that attach an encryption key to your web page when sent to the user browser. The popular browsers use that key to encrypt any data your document may send back to that same server, including the user's form data. Since only the client's browser and the server know the key, only that server will be able to decipher the information coming back to it from the client browser, effectively securing the information from nefarious eavesdroppers and hackers.
However, if you use email to retrieve the form data, the server decrypts it before packaging the form information into the body of an email message and sending it to you. Email normally is highly susceptible to eavesdropping and other types of snooping. Its contents are very insecure.
So, please, if you use an email method to retrieve sensitive form data, such as credit cards and personal information, be aware of the potential consequences. And don't be fooled or fool your users with a "secure" server when insecure email comes out the back end.
In spite of all these problems, email forms present an attractive alternative to the web author constrained by a restricted server. Our advice: use CGI scripts if at all possible and fall back on mailto URLs if all else fails.
Copyright © 2002 O'Reilly & Associates. All rights reserved.