PDA

View Full Version : my experience setting up formmail w/ captcha & verification



hubiedo
18-Mar-2009, 05:33 AM
I have written up my experiences doing a complete setup for my needs and how I think you could save a couple steps along the way. Hopefully it will help someone else. I have also put it on the web at:
http://www.mgmtkoncepts.com/formmail.htm

The documentation, Terry Allen's article are invaluable also along with the great forum guys and gals.

FORMMAIL ENCODER SETUP WITH CAPTCHA & REQUIRED VERIFICATION

By: Hubert J. Kelsheimer

I hope this compliments Terry Allen's fine article referred to below.I will not cover some of the steps in the T.A. article except where either I had some problems figureing out something or I think you can save time or steps to get the big picture. It may not cover some of the fancier stuff that you may want but maybe it will help you organize the process a little better.

Goals:

I wanted secure web pages, encrypted email forms for sensitive information transfer and i wanted the secure images to prevent spammers.

This turned out to be quite a process to set up since I was a newbie to all this security stuff.

Initial steps I went through:

At Bluehost, my websit host, I set up:

ssl
ssh (for this I had to send some identification info by fax to them)

I tested my secure web pages once completed and used a self generated public key, private key, CSR and CRT that I completed on Bluehost.Luckily, they made this part fairly easy and Bluehost has a really good set of tools for website administration.

This worked well for testing but I needed a CRT that was accepted and verified (for the general public etc.) with the little icon for the web pages. So I got a Comodo CRT on a 3 month trial before I have to pay for the service which should give me time to get it all working and tested etc. I had some trouble getting the CRT into Bluehost mostly because I have never done it before. Bluehost offered a Comodo SSL certificate that did everything automatically and so I bought it and it was immediately installed and the website changes were functional overnight.

Comodo (Instant SSL)- you can easily find their website.

For Comodo, I found I needed a special email address from a list of their specified addresses that they would recognize for verifying I was good to be working on the Certificates and then they would issue the certificate (kind of a dual verification step)

I purchased the formmail decoder.

I downloaded the decoder software and installed it on the computer that will be receiving the emails, at our office.

Once set up I created the public and private keys from within encoder as I had some trouble trying to use our regular PGP keys and didn't want to mess around with it anymore.I then made copies of the keys and took them home where I would be setting up the forms and eventually the setup for formmail encoder forms to be sent ftp onto the website.

I also downloaded the formmail encoder (both for linux and windows since I didn't know which one I would need.

I found it was a slow and tedious process to work through all the steps to the end product.

Terry Allens "how to" article is absolutely invaluable. See tectite website to locate it.

I wanted to test everything and then drop my current forms into the "sample forms" utilizing the setup that was tested and working and then renaming the files/forms, as necessary so they would end up with the same name referred to throughout my current website. At least that was the plan.

Setting up formmail.php tips or what i found after experimenting around was that setting up the recipient was not that clear with the special characters. Here is what I ended up with in the input fields at line 239 in formmail.php. the explanation above that line was a little confusing to me and I experimented until I got it right. (The special characters are required.)


$TARGET_EMAIL = array("^john@yourweb\.com$");

/* Help: http://www.tectite.com/fmdoc/def_alert.php */
define("DEF_ALERT","john@yourweb.com");


STEP 1

NOTE: MAKE COPIES OF EACH STEP AS YOU CHANGE THE FORMS IN CASE YOU MESS UP - THEN YOU CAN AT LEAST GO BACK TO WHERE YOU WERE. I.E. SAMPLE1, SAMPLE2 ETC.

NOTE; IF YOU KNOW FROM THE START THAT YOU WANT CAPTCHA & REQUIRED VERIFICATION FOR YOUR EMAILS YOU MIGHT WANT TO SKIP TO STEP2 SO YOU DON'T DO IT TWICE.

In my opinion you can do all the testing & set up using the CAPTCHA & REQUIRED VERIFICATION samples. Remember either way you MUST test all the steps outlined by Terry Allen (see paragraph below)

Once you have downloaded, tested, setup formmail.php and tested a sample form, verify images etc. as specified in Terry Allen's article, you are ready to make the additional changes for a customized formmail product.

STEP 2

IF YOU SKIPPED STEP 1 YOU MUST STILL FOLLOW THE STEPS WITH TERRY ALLEN'S ARTICLE --JUST APPLY THEM TO THE CAPTCHA SAMPLE FORMS.

Once you have downloaded, tested, setup formmail.php and tested a sample form, verify images etc. as specified in Terry Allen's article, you are ready to make the additional changes for a customized formmail product. Except this time you have the form & php file for/including the CAPTCHA stuff.

I wanted to have CAPTCHA and required verification so I downloaded:

sampleimgverify.zip

Note: You can do everything with this form

Once I got everything working ok (step 1) then I went to work on CAPTCHA & REQUIRED VERIFICATION.I found I had to do everything again because the CAPTCHA sample forms had the same setup as in 1 above plus the CAPTCHA & vERIFICATION REQUIRED.


Now I really had a sample form that had everything to basically set up and ready to add my email forms. I got it set up, tested etc. and was ready to integrate my previous email forms from my website. If you didn't have a previous email form you will have to learn all of that too.

NOTE: FOR TESTING I USED MY HOME EMAIL SO I COULD WORK ON THE FORMS & TEST THEM. WHEN FINISHED I WILL HAVE TO GO BACK & CHANGE THIS IN formmail.php or sampleimgverify.php. Once fixed for testing I FTP'd the sample form & php file to the website.

I used an FTP program to download these files to the directory with all of my regular website .htm pages in It. It worked fine. I FTP'D the "sampleformname.htm to the website for direct access & testing on a continual basis during this process.

Copy the header into the new working formmail w/ CAPTCHA.

I then changed the required field name from "email" to "email2" which was the name included in my original form. I also had to change "realname" to "cltrep2" which again was in the original form I had used. Then I changed the header into the new form from the original form and marked the required fields with a red *. Now I had a working form.


Next I wanted to add a "thanks.htm" to the process which I already had on the website. So I added the changes for the thanks.htm and made a new error.htm and changed the code so that it would use them. See article regarding "bad URL" and "good URL" on the tectite website.


Now I needed to set up the Encoder part.

For me the endcoder part was pretty straight forward as I wanted the full form encoded. I FTP'd the fmencoder file to the cgi-bin folder along with the public key. I found that the public key had to be renamed to pubkey.txt as the yourweb.com-pub.txt (that you get with the Decoder installation and key setup) won't work with that filename on the website.

BOTH OF THESE FILES HAD TO GO INTO THE CGI-BIN FOLDER AS THAT IS WHAT THE ENCODER FILE IS LOOKING FOR AND YOU WILL GET ERRORS UNTIL FIXED.

russellr
18-Mar-2009, 11:54 PM
Hi,

Thanks for posting your experience.

A couple of things I need to point out....



I wanted to test everything and then drop my current forms into the "sample forms" utilizing the setup that was tested and working and then renaming the files/forms, as necessary so they would end up with the same name referred to throughout my current website. At least that was the plan.
You'll generally find it easier to use the Configuration Wizard to start your setup process. It saves a lot of time and effort.

Also, we've recently implemented a form "conversion" feature. You can design your HTML form pages in whatever tool you used to develop your other website pages, and then upload these forms to the Wizard. It will convert the forms to use your custom FormMail that it configures for you.



I found that the public key had to be renamed to pubkey.txt as the yourweb.com-pub.txt (that you get with the Decoder installation and key setup) won't work with that filename on the website.
No, you don't need to (and shouldn't) rename your public key file.

If you double-check the Help | Getting Started section in FormMailDecoder, you'll see that it recommends that you reconfigure the "encode" filter command inside FormMail.

That's the preferred method of action.

hubiedo
19-Mar-2009, 02:45 AM
Thanks for the reply russel. I just wanted to be active member of the community. I am sure other people will read your reply and make good use of the configuration wizard and form conversion wizard. I tried the configuration wizard right at the beginning and it said it couldn't do it / set it up etc., so I started out on my own to fix it. I will certainly try the form converter and will retry the configuration wizard. Considering my rather novice standing at this stage I probably didn't do the configuration wizard right. I never noticed / missed the form converter so I will give it a shot.

hjk