Form Handling CGI script - forms.cgi
This document describes how you can use our forms handling
scripts to handle your form data. It features
- mailback (ie. send the form results by email),
- display confirmations to the users web browser
- append to a logfile (ie. log the form results into a file)
- security features to encrypt secret fields (like credit card numbers)
- designed to work in a secure SSL environment
- features for handling order forms, will calculate tax and totals
- checks email addresses for validity
- checks credit card numbers for validity
- FrontPage forms friendly
We describe how you can design your forms,
give you some real examples you can copy and enhance. If you are
a FrontPage user, dont worry about the technical details of HTML in this
document, you can use the FrontPage editor's user interface to hide
all the html; and we give a detailed step-by-step example.
The forms handler script is called forms.cgi and
can be invoked from your form using an html <FORM> tag
and setting action="http://www.bigbiz.com/cgi-bin/forms.cgi".
www.bigbiz.com mey be changed depending on which server you are on,
this will be discussed later. For secure forms you can post
to https://www.bigbiz.com/cgi-bin/forms.cgi. If you are a FrontPage
user, you can set your form properties to post to a cgi script and
type in the name of this script, more on that later.
Example
Lets start with an example
This form lets you enter your name, and email address, and posts it to
the forms.cgi script. This form is configured to send the message
"Thank you for using forms.cgi" to the email address you enter. This
is just a simple demonstration of using forms.cgi to mailback form results.
The HTML code for the above example is as follows
<form action="http://www.bigbiz.com/cgi-bin/forms.cgi" method="POST">
Name: <input name=myname>
Email address: <input name=F_to>
<input type=hidden name=msg value="Thank you for using forms.cgi">
<input type=hidden name=yourname value="Your name is">
<input type=hidden name=F_fields value="yourname+myname,msg">
<input type=hidden name=F_subject value="forms.cgi test">
<input type=hidden name=F_from value="nobody@bigbiz.com (Form Test - Do not reply)">
<input type=submit value="Send">
</form>
Lets discuss each component of the form so you understand it better
action="http://www.bigbiz.com/cgi-bin/forms.cgi"
ACTION specifies the CGI script your form is posted to. Depending on
which server you are on, and whether you want to post the form data
securely, the URL can change.
| Server | URL | Secure URL |
|---|
| web01 | http://www.bigbiz.com/cgi-bin/forms.cgi | https://www.bigbiz.com/cgi-bin/forms.cgi |
| web02 | http://web02.bigbiz.com/cgi-bin/forms.cgi | https://secure.bigbiz.com/cgi-bin/forms.cgi |
| web03 | http://web03.bigbiz.com/cgi-bin/forms.cgi | https://web03.bigbiz.com/cgi-bin/forms.cgi |
| web04 | http://web04.bigbiz.com/cgi-bin/forms.cgi | https://web04.bigbiz.com/cgi-bin/forms.cgi |
| web05 | http://web05.bigbiz.com/cgi-bin/forms.cgi | https://shop.bigbiz.com/cgi-bin/forms.cgi |
It is important you use the script for the server you are on - it will not
work otherwise.
method="POST"
The method will always be POST; this is just the world wide web standard
for cgi scripting.
myname
This is a user defined field, it is later listed in F_fields to put it into
the message thats mailed to you. You should probably list all
user defined fields in the F_fields variable.
F_to
When you want the form results to be e-mailed, you need to specify
system variables F_to, F_from, and F_subject. In this form we let the user type in
the F_to variable. Note: all system variables begin with an uppercase F and underscore "F_"; and have special meanings.
hidden
Hidden variables
are useful to pass user information and system information to the forms.cgi
script. There are many system variables that control the
forms.cgi script (see the reference section). These are typically
passed into the script as hidden variables. You can also pass in
user defined hidden variables to be included in your form results.
msg
This is a user defined hidden variable and will be placed in the
body of the email. It is listed in F_fields.
yourname
This is a user defined hidden variable and will be placed in the
body of the email. It is listed in F_fields.
F_fields
This system variable specifies which variables are to be included in the body of the
message. The format of F_fields determines how your message will appear,
a "+" is replaced with a space, and a "," is replaced by a new-line.
You should always specify a F_fields hidden variable.
F_subject
This is a system variable for email - specifies the subject line used in
the message.
F_from
This is a system variable for email - specifies the sender of the message.
submit
Each form must have a submit button, the value will be shown on the button.
FrontPage Forms
If you are a FrontPage user, you can design your forms using the
FrontPage editor. As an example we will duplicate creating the above
form using FrontPage. We will show you step-by-step what to
do to achieve the same results as the above html.
Click
HERE for the FrontPage step-by-step,
which includes all the screen shots. The page has a lot of screen shots and may take some time to load, be patient.
Click
HERE for the "light" version
where you can click-thru to each graphic (loads much faster).
Mail Back Forms
The most common use for forms.cgi is to mail the users' input to the webmaster.
The mailback example above illustrates its use. As a minimum you should
specify a F_to variable. We also recommend setting F_from, F_subject, and F_fields.
Example:
FEEDBACK FORM
<form action="http://www.bigbiz.com/cgi-bin/forms-test.cgi" method="post">
<input type=hidden name=F_to value="webmaster@mydomain.com">
<input type=hidden name=F_subject value="Feedback">
Name: <input name=name><br>
Email address: <input name=F_from><br>
Message: <textarea name="message" ROWS="13" COLS="75"></textarea><br>
<input type=hidden name=F_fields value="name,F_from,message">
<input type=hidden name=F_required value="name,F_from,message">
<input type=submit value="Send comments to the Web Master">
</form>
FEEDBACK FORM
Secure Forms
A popular use of secure forms is for online order forms. Security is
needed to make sure sensitive information (like credit card numbers and
bank account info) cant be intercepted by third parties.
To set up a secure form, you need to
- Access the form using a secure URL
- Specify a secure URL for the form ACTION
- Encrypt sensitive fields
Access the form using a secure URL
Your web site is normally accessed using http://www.yourdomain.com and
is considered (by industry experts) to be non-secure. A third party
with the proper equipment can tap the transit routers and capture
the data as it goes across the internet and steal your information.
Think of the analogy of someone tapping your phone line or listening in
on your cellular phone call.
Your web site can also be accessed using a secure URL using the https
protocol, example: https://www.bigbiz.com/yourdomain.com. When you
use https, the information across the internet is encrypted and is
nearly impossible for someone capturing the data to decrypt. Your secure
URL will depend on which server your web site was assigned to and you
can find it on your "welcome" message you received when we opened your
account.
Currently the following are the shared secure server URLs:
| Server | Secure URL |
|---|
| web01 | https://www.bigbiz.com/yourdomain.com |
| web02 | https://secure.bigbiz.com/yourdomain.com |
| web03 | https://web03.bigbiz.com/yourdomain.com |
| web04 | https://web04.bigbiz.com/yourdomain.com |
| web05 | https://shop.bigbiz.com/yourdomain.com |
If you dont know your server - try them all and see which one works.
When you have a form on your web site, you can link to it using the
secure URL to the form instead of the regular URL, that will give the
users of your form the feeling of security. Example, suppose your
form is at http://www.acme.com/shopping/orderform.html and you are on
web01, then the secure
URL is https://www.bigbiz.com/acme.com/shopping/orderform.html.
Translating
a normal URL to a secure URL is key to making portions of your web site
secure. We illustrate with 2 examples, one on web01 and one on web04:
Note: FrontPage users, you cannot use any web-bots on your secure
forms (example: hit counters), they will not work when you access it
using the shared secure server. Design your secure forms without web-bots.
Specify a secure URL for the form ACTION
For the ACTION="URL" field in the <FORM> tag, specify the secure URL of
the forms.cgi script. The following table shows the URL to use
| Server | Secure URL for form ACTION |
|---|
| web01 | https://www.bigbiz.com/cgi-bin/forms.cgi |
| web02 | https://secure.bigbiz.com/cgi-bin/forms.cgi |
| web03 | https://web03.bigbiz.com/cgi-bin/forms.cgi |
| web04 | https://web04.bigbiz.com/cgi-bin/forms.cgi |
| web05 | https://shop.bigbiz.com/cgi-bin/forms.cgi |
Encrypt sensitive fields
For best protection, you can tell forms.cgi to encrypt some fields.
If someone intercepts your e-mail, or somehow gets your logfile they
would have a very difficult time to decrypt your message.
We highly recommend encrypting credit card numbers.
Note: To use encryption you must obtain an encryption key first. Click
HERE to get an encryption key.
To encrypt, add "_encrypted" to the variable you want to encrypt in the F_fields
list; the encrypted version of the variables will be sent instead of the
normal versions. You will also need to add system variable F_key,
which is your
encryption key as obtained above. You can use your encryption key on
your forms, even tell other people, however DO NOT TELL ANYONE YOUR SECRET
PASS PHRASE. You will use your secret pass phrase to decrypt your messages.
Example:
<INPUT NAME=cc_number>
<INPUT TYPE=HIDDEN NAME=F_fields VALUE="cc_number_encrypted">
<INPUT TYPE=HIDDEN NAME=F_key VALUE="nNxgFpguL0A">
When you receive the form results (by email for example), you will
notice the cc_number field is encrypted. You need to use the form
at https://www.bigbiz.com/decrypt.html to decrypt the credit card number. Note: it is very difficult
for someone to guess your decryption phrase, even if they know your
encryption key. We recommend bookmarking the decryption page.
Working Example:
This example form lets you enter a credit card number (you dont have to
enter a real one) and demonstrates encrypting it. It will email you
the encrypted number. When you receive the email, use the
Decryption Form to
decrypt the number. You can use your own encryption key, or for this demo
you can use encrytion key="nNxgFpguL0A" decryption phrase="Mary had a little lamb.".
Example: skip to the section on Secure Order Forms for a real example
OK and Error Pages
After the user submits the form and forms.cgi processes it, it displays
a simple page "Your form has been processed, thank you". This is probably
not adequate for most applications so forms.cgi allows you to
specify your own URL for the thank-you page. Set the URL in the
system variable F_ok_url, example:
<INPUT TYPE=HIDDEN NAME=F_ok_url VALUE="http://www.acme.com/thankyou.html">
Sometimes an error is detected in forms.cgi; a required field is missing,
a email address is not valid, etc... We display the error message and
instruct the user to go BACK and correct it and re-submit. You can override
this behaviour by specifying your own F_error_url, example:
<INPUT TYPE=HIDDEN NAME=F_error_url VALUE="http://www.acme.com/formerror.html">
Note: If you specify a cgi script for F_error_url, we will pass the form variable
error_message to it. It will contain the error message(s).
Working Example: This example shows F_ok_url and F_error_url being used.
http://www.bigbiz.com/forms/ok-url-test.html
Confirmation Page
A confirmation page is optionally displayed to the users browser after
their input has been accepted. If you set the confirmation page
variable F_display, then it overrides the F_ok_url and the default
thank you message. You have better control over the confirmation
page display, and you can include the users input on the page.
Set F_display to the title of the confirmation page. The confirmation
page contents will be the same as whats produced by F_fields. You can
override F_fields using F_display_fields. If you want to be fancy, you
can include HTML tags in F_display_fields to customize the output.
Example:
<input type=hidden name=F_display value="Thank you for your input">
<input type=hidden name=F_display_fields value="'Dear <B>'+name+'</B>','Your message dated'+F_date,'has been sent to our webmaster. We will respond as soon as possible.'">
Several other working examples on this page demostrate the use of confirmation
pages.
Validating Credit Card Numbers
forms.cgi can validate credit card numbers using an industry standard
checksum.
Simply set the system variable F_validate_cc to your credit card number
variable name. forms.cgi will check the credit card number and
detect errors.
Example:
<INPUT TYPE=HIDDEN NAME=F_validate_cc VALUE="cc_number">
Working Example:
<form action="https://www.bigbiz.com/cgi-bin/forms.cgi" method="POST">
Credit Card Number: <input name=credit_card size=20>
<input type=hidden name=F_display value="Credit Card Test">
<input type=hidden name=F_validate_cc value="credit_card">
<input type=hidden name=F_fields value="credit_card+'is a good number'">
<input type=submit>
</form>
The check will catch most mistyped and randomly typed numbers. Give it a try.
Required fields
forms.cgi can detect missing required fields, simply set the
system variable F_required to the list of required fields. If any
of the fields are blank then an error message is issued.
Example:
<INPUT TYPE=HIDDEN NAME=F_required VALUE="name,address,phone_number">
Working Example: (you must fill in all the fields)
Logfile
forms.cgi normally generates an e-mail message. However it can be
modified to also generate a log file. In order to generate a logfile
you will need to upload your own cgi script to define
the name of the log file and the fields that will be
recorded. Here is the format of
your script
#!/usr/bin/perl
$logfile='your log file name';
$logfilefields='your log file fields';
require('/usr/local/apache/cgi-bin/forms.cgi');
Example
#!/usr/bin/perl
$logfile='orders.txt';
$logfilefields='F_date,name,address,city,state,zip,amount';
require('/usr/local/apache/cgi-bin/forms.cgi');
And you need to POST to your own script. You will be able to post
your form to either the secure or regular URLs. For
example, if you upload the script named orders.cgi into
the cgi-bin directory of your account acme.com on web01, you can post to
<FORM ACTION="http://www.acme.com/cgi-bin/orders.cgi" METHOD=POST>
or for secure posting
<FORM ACTION="https://www.bigbiz.com/acme.com/cgi-bin/orders.cgi" METHOD=POST>
By specifying the variables $logfile and $logfilefields, the
script will append the form results to a logfile. You can
later download the file and use it for whatever purposes, order
tracking, import to database, etc... Set $logfile to the name of the
file, it will be put into your home directory; if you are a
FrontPage user, the file will be put into your _private directory.
Set $logfilefields to a list of fields to log, you can include special
fields (ones beginning with F_), and also you can include encrypted
fields (ending with _encrypted). In the above example
you may end up with a logfile that looks like this:
"Sun Jul 19 13:24:57 1998","Trisha Ashby","555 Oak Blvd.","Los Angeles","CA","90213","13.95"
"Sun Aug 2 19:56:18 1998","Peter Miles","294 State Ave., Apt. 2","New York","NY","10002","75.00"
"Tue Aug 18 22:57:35 1998","Joe Sekera","1234 Main St.","Montclair","CA","95332","20.00"
It is safe to encrypt secret fields into your logfile, if someone
manages to steal your logfile, they cannot get the secret fields.
to decrypt your logfile, download it to your system, and use the
decryption page's
"UPLOAD" feature to decrypt an entire file all at once.
Note: we assume you already know how to upload scripts into your cgi-bin
directory.
Special F_fields Variables
Add these special variables to your F_fields list if you want them in your
message.
F_date
The time and date is placed in this variable
F_referer
The URL of the form
F_ip_address
The IP address of the user submitting the form
F_host
The hostname of the user submitting the form, if available
Testing your form
Instead of forms.cgi, use forms-test.cgi as your <form> action
and you can test your form. The test scrript will display all your input,
any errors detected, and give you a summary of actions it would have
taken. We recommend using forms-test.cgi until everything is OK, then
you can change the action to forms.cgi and go live. In case you haven't
noticed yet, the working example in the "Mail Back Forms" topic above
posts to forms-test.cgi; try it.
Example
<form action="http://www.bigbiz.com/cgi-bin/forms-test.cgi" method="POST">
Tip: if you uploaded your own script (see the discussion of logfile),
just name your script forms-test.cgi if you want a test version.
Order Form Features
forms.cgi has special features to handle order forms with multiple
lines of items. It can calculate line totals, subtotals, tax, and
order total. (It cannot calculate shipping costs, so you would have to
make a flat rate estimate).
On your order form line items, you need to send the fields
QTY* and PRICE*, where * is a number. For example if you have 3
items, you can set PRICE1, PRICE2, and PRICE3. The corresponding
QTY1, QTY2, and QTY3 would be the quantity ordered, and is generally
a user entry field on the order form. You can define additional
line fields, such as CATALOG_NUMBER*, DESC*, etc... which represent the item
on the line.
When an order form is submitted, forms.cgi will calculate line totals
(QTY* times PRICE*), and order subtotal (total of all the line totals).
If the special variables F_taxrate is set, then we also calculate the
tax (order subtotal times taxrate). Another special variable
F_totalsum gives a list of fields to sum for the final order total.
All of the calculated values (line totals, subtotals, tax, order total)
are available to be used in your email, confirmation, or logfile using
special variable names.
Here is an example of a simple order form for a hardware store. We explain
how each form component works. You can try it out and send yourself
some test orders. We also show you how you can make the form secure.
<form method="POST" action="https://www.bigbiz.com/cgi-bin/forms.cgi">
<input type="hidden" name="CATN1" value="06-1130">
<input type="hidden" name="CATN2" value="09-8756">
<input type="hidden" name="CATN3" value="13-8722">
<input type="hidden" name="CATN4" value="06-2220">
<input type="hidden" name="ITEM1" value="3 lb Ball Peen Hammer">
<input type="hidden" name="ITEM2" value="12 inch Hacksaw, w. Starter Blade">
<input type="hidden" name="ITEM3" value="4 Piece Philips Scredriver Kit">
<input type="hidden" name="ITEM4" value="3/8 inch crescent wrench">
<input type="hidden" name="PRICE1" value="12.50">
<input type="hidden" name="PRICE2" value="24.95">
<input type="hidden" name="PRICE3" value="4.33">
<input type="hidden" name="PRICE4" value="9.99">
For demo purposes, enter your email address: <input name="F_to"><br>
For demo purposes, the credit card number "49927398716" will pass the validation check.<br>
<input type="hidden" name="F_from" value="forms.cgi@bigbiz.com (Forms.cgi test)">
<input type="hidden" name="F_subject" value="ACME Hardware Store Order">
<input type="hidden" name="F_totalsum" value="F_subtotal,F_tax,Shipping">
<input type="hidden" name="F_orderline" value="QTY*,CATN*,PRICE*,F_linetotal,ITEM*">
<input type="hidden" name="F_fields" value="F_date,F_ip_address,F_host,'Phone:'+phone,,'Ship to:',name,address1,address2,,F_orderline*,'Subtotal'+F_subtotal,'Tax'+F_tax,'Shipping'+Shipping,'Order Total'+F_total,,credit_card_number_encrypted+'Expires'+exp1+'/'+exp2">
<input type="hidden" name="F_key" value="nNxgFpguL0A">
<input type="hidden" name="F_cc_validate" value="credit_card_number">
<input type="hidden" name="thanks" value="Thank you for your order, you will receive phone confirmation from our shipping department shortly.">
<input type="hidden" name="F_display" value="Order Received">
<input type="hidden" name="F_display_fields" value="'We received the following order on'+F_date,,'Ship to:',name,address1,address2,,'<listing>'+F_orderline*+'</listing>',,'Subtotal'+F_subtotal,'Tax'+F_tax,'Shipping'+Shipping,'Order Total'+F_total,'Phone Number'+phone,,thanks">
<input type="hidden" name="F_required" value="name,address1,address2,phone,credit_card_number">
<center><p><strong>ACME Hardware Shop Order Form</strong></p></center>
<table border="1" width="100%">
<tr>
<th width="13%">Quantity</th>
<th width="47%">Catalog Number</th>
<th width="57%">Description</th>
<th width="45%">Price Each</th>
</tr>
<tr>
<td width="13%"><input type="text" name="QTY1" size="9" value="0"></td>
<td width="47%">06-1130</td>
<td width="57%">3 lb. Ball Peen Hammer</td>
<td width="45%">12.50</td>
</tr>
<tr>
<td width="13%"><input type="text" name="QTY2" size="9" value="0"></td>
<td width="47%">09-8756</td>
<td width="57%">12" Hacksaw, w. starter blade</td>
<td width="45%">24.95</td>
</tr>
<tr>
<td width="13%"><input type="text" name="QTY3" size="9" value="0"></td>
<td width="47%">13-8722</td>
<td width="57%">4 piece Philips Screwdriver Kit</td>
<td width="45%">4.33</td>
</tr>
<tr>
<td width="13%"><input type="text" name="QTY4" size="9" value="0"></td>
<td width="47%">06-2220</td>
<td width="57%">3/8 inch Crescent Wrench</td>
<td width="45%">9.99</td>
</tr>
</table>
<p>Sales Tax: <input type="radio" value="8.25" name="F_taxrate">CA resident (8.25%)
<input type="radio" name="F_taxrate" value="6">AZ
resident (6%) <input type="radio" name="F_taxrate" value="0" checked>Other (no sales tax)</p>
<p>Shipping: <input type="radio" name="Shipping" value="10.00" checked>UPS Ground
($10) <input type="radio" name="Shipping" value="15.00">UPS Blue
($15) <input type="radio" name="Shipping" value="30.00">Fed-Ex ($30)</p>
<p>Credit Card Number <input type="text" name="credit_card_number" size="20"> Expires <select name="exp1" size="1">
<option value="01">01</option>
<option value="02">02</option>
<option value="03">03</option>
<option value="04">04</option>
<option value="05">05</option>
<option value="06">06</option>
<option value="07">07</option>
<option value="08">08</option>
<option value="09">09</option>
<option value="10">10</option>
<option value="11">11</option>
<option value="12">12</option>
</select>/<select name="exp2" size="1">
<option value="98">98</option>
<option value="99">99</option>
<option value="00">00</option>
<option value="01">01</option>
<option value="02">02</option>
<option value="03">03</option>
<option value="04">04</option>
</select></p>
<p>Ship To</p>
<table border="1" width="454">
<tr>
<td align="right" width="162">Name </td>
<td width="288"><input type="text" name="name" size="30"></td>
</tr>
<tr>
<td align="right" width="162">Address </td>
<td width="288"><input type="text" name="address1" size="30"></td>
</tr>
<tr>
<td align="right" width="162">City, State Zip </td>
<td width="288"><input type="text" name="address2" size="30"></td>
</tr>
<tr>
<td align="right" width="162">Phone </td>
<td width="288"><input type="text" name="phone" size="30"></td>
</tr>
</table>
<p><input type="submit" value="Submit" name="B1"><input type="reset" value="Reset" name="B2"></p>
</form>
Lets discuss the various fields and their meanings
QTY1, QTY2, QTY3, and QTY4
These fields are for user input for # of items ordered. The name
must be QTYnnn where nnn is a number.
PRICE1, PRICE2, PRICE3, and PRICE4
These hidden fields are the corresponding single unit prices for each
line item. The name must be PRICEnnn where nnn is a number corresponding
to QTYnnn.
CATN1-4, ITEM1-4
These are additional descriptions for each line item. They are referenced in
the variable F_orderline which is used to format the orderline output.
You can have more of these XXXnnn variables depending on what your order
processing department needs.
F_to, F_from, F_subject
Email fields. This sends the order to the order processing department.
F_taxrate
This radio button set inputs the tax rate to the script. The number is
in percent. The special variable F_taxrate is used to calculate F_tax
using the formula F_subtotal * F_taxrate / 100.
Shipping
This radio button set inputs the shipping charges. The variable Shipping
is used later in F_totalsum to determine the order total.
F_subtotal
This is a calculated number, it is all the line totals combined.
F_linetotal
This special system variable holds the line total for each line whose
quantity is non-zero. It is used in F_orderline for formatting the
line output. This is a calculated number and has no meaning outside of
F_orderline.
F_tax
This is the calculated tax based on F_taxrate.
F_totalsum
A list of variables to add together to arrive at the order total.
F_subtotal and F_tax are calculated. Shipping is a user input. The
calculated value can be printed using the variable F_total.
F_orderline
This gives the format of the order line used in the output (F_orderline* in F_fields). Each of the '*' variables are replaced by their corresponding
line item values. F_linetotal is a special variable representing the line
total.
F_fields
The format of the body of the message. The special features we use
here are F_orderline*, which represents each order line (see F_orderline
for its format). Note also the calculated values for F_subtotal, F_tax, and
F_total are printed. The credit card number is encrypted.
F_key
The key used for encrytion. The key here corresponds to a decryption
phrase "Mary had a little lamb.". When you receive the email order you
can use the decryption page to decode the credit card number.
F_cc_validate
We validate the credit card number before processing.
thanks
Just a literal used later in F_display_fields.
F_display and F_display_fields
The confirmation page title and format. Note use of F_orderline*
surrounded by <listing></listing> so we can get a better format
confirmation page.
F_required
We require the user enter all those fields
exp1 and exp2
Fancy input to collect the credit card expiration date.
action="https://www.bigbiz.com/cgi-bin/forms.cgi"
The form action posts to the secure URL. This is because we want
to protect the credit card information.
Secure Order Form
We've taken a copy of the above order form and uploaded it to
the motelworld.com website. motelworld.com is on web02. We modified
the form slightly
- we post the the secure url on web02 https://secure.bigbiz.com, instead
of the web01 url https://www.bigbiz.com
- modified email addresses so it comes from motelworld.com
Otherwise the form is identical.
Note you can invoke the form secure by translating the normal URL
http://www.motelworld.com/acme/order_test.html
to https://secure.bigbiz.com/motelworld.com/acme/order_test.html.
Since you are in charge of the links on your web site, make sure you
use the secure link. Thats all there is to converting a normal order
form to a secure order form.
FrontPage design of Secure Order Form
Our final FrontPage example gives step-by-step instructions to
design the secure order form shown above.
Go HERE for the page with all
the graphics.
The page has a lot of screen shots and may take some time to load,
be patient.
Go HERE for the "light" version
where you can click-thru to each graphic (loads much faster).
Reference
This section lists all system variables, (those that begin with F_).
When naming your own variables,
dont name any beginning with "F_". We may add new system variables
from time to time, they will always begin with F_.
F_cc
Specifies the Cc recipient(s) of the email message. See also F_to.
F_date
Specify this variable in your F_fields list to get a
time/date stamp. Example
<INPUT TYPE=HIDDEN NAME=F_fields VALUE="F_date,F_ip_address,F_referer">
will place the time/date, ip_address, and refering URL into your
message, such as:
Mon Aug 10 22:41:54 PDT 1998
209.33.112.45
http://www.mydomain.com/shopping/orderform.html
F_display
Will display a web page with this title after processing the form. The body
of the page is determined by F_display_fields or F_fields. You can use
this to display a confirmation to the user that you received their input.
Example:
This form sends email and then displays a confirmation.
<form action="http://www.bigbiz.com/cgi-bin/forms.cgi" method=post>
Please send me a catalog<br>
Name: <input name=name><br>
Address: <input name=address><br>
City:<input name=city> State:<input name=state size=2> Zip:<input name=zip size=5><br>
<input type=hidden name=F_to value="catalog-request@bigbiz.com">
<input type=hidden name=F_from value="form@bigbiz.com (Web Form)">
<input type=hidden name=F_subject value="Send a catalog">
<input type=hidden name=F_fields value="'Please send a catalog to',name,address,city+','+state+zip">
<input type=hidden name=F_display value="Confirmation">
<input type=hidden name=F_display_fields value="'Thank you, a catalog will be mailed shortly to<B>',name,address,city+','+state+zip+'</B>'">
<input type=submit value="Send">
</form>
F_error_url
The is the URL which will be redirected to if the forms.cgi
script detects an error. If you dont specify one then we simply
display the error message. You can specify an html file or
a cgi script. If you specify a CGI script, you can process the
form variable error_message which we will pass to you.
Examples
<INPUT TYPE=HIDDEN NAME=F_error_url VALUE="http://www.mydomain.com/error.html">
<INPUT TYPE=HIDDEN NAME=F_error_url VALUE="http://www.mydomain.com/cgi-bin/error.cgi">
Note: in the cgi example, if the error was "Credit Card Number Invalid", then
your cgi script will be invoked as http://www.mydomain.com/cgi-bin/error.cgi?error_message=Credit+Card+Number+Invalid, which sends the variable
error_message into your script with the value "Credit Card Number Invalid".
F_fields
This system variable specifies which variables are to be included in the body
of the message. All user defined fields should probably be put here.
If you dont specify F_fields, then all user
variables will be placed in the message, in alphabetical order.
Besides user variables, you can include any system variable in the list
as well, expecially F_date, F_ip_address, and F_referer, and F_host.
Example
<input type=hidden name=F_fields value="name,address,phonenumber,amount,cc_number_encrypted,expires,F_date">
F_fields can also define the format of your message and include literal
strings. Any number of these components can be included in the
F_fields list:
- 'xxx' - literal string
Enclose literals within single quotes. The literal will be printed as-is.
Example: 'Your name is'+name
- variable_name
The variable's value is printed. You can specify any variable, user or system.
- variable_name_encrypted
The variable's encrypted value is printed. You must also specify a F_key
for encryption.
Example: 'Please charge'+total+'to'+credit_card_encrypted+expiration
Components are joined with either a '+' or a ','.
- +
A plus sign becomes a space. Example: city+','+state+zip
- ,
A comma becomes a new-line. Example: name,address,city+','+state+zip
F_from
Specifies the from address of the email that is sent. To send email you
should specify F_from, F_to, and F_subject, and optionally F_cc. Example
<input type=hidden name=F_to value="orders@mydomain.com">
<input type=hidden name=F_subject value="ORDER">
Email address: <input name=F_from>
F_host
Specify this variable in your F_fields list to get the Hostname
of the user (if possible). Hostname is an attempt to
resolve the user's IP address, sometimes it fails because the
user's ISP has not configured reverse DNS. See also F_ip_address.
F_ip_address
Specify this variable in your F_fields list to get the IP Address
of the user. IP address may be used as a clue to which ISP they are
using to connect to the internet. For an example see F_date above.
F_key and *_encrypted
F_key specifies an encryption key to use for encrypting fields.
Fields to be encrypted are named in the F_fields list with a _encrypted
suffix. Use https://www.bigbiz.com/genkey.html to get
a key to use. Use https://www.bigbiz.com/decrypt.html to decrypt
your messages.
Example:
<INPUT NAME=cc_number>
<INPUT TYPE=HIDDEN NAME=F_fields VALUE="cc_number_encrypted">
<INPUT TYPE=HIDDEN NAME=F_key VALUE="3d7hVX3g">
F_linetotal
It holds the current line total (QTY * PRICE), and is only useful
in the F_orderline format. See Order Forms for details.
$logfile
$logfile can be set to the name of a file to log all results to.
You can only set this variable if you upload your own cgi script.
See the discussion on Log Files for an example.
The logfile will be either placed in your home directory or in the
web directory _private if it exists (Note: FrontPage automatically
creates the _private directory). To retrieve the contents of the
logfile, you can ftp it from your home directory, make sure you set
TEXT or ASCII mode to transfer the file. If it is placed in your
_private web directory, you can get it with your browser
at http://www.yourdomain.com/_private/name_of_file. You will need
to enter your FrontPage userid and password.
Note: non-FrontPage users can also use the _private mechanism, simply
create the web directory _private and add appropriate protections with
.htaccess.
The variable $logfilefields can be used to specify the format for the
logfile body.
$logfilefields
List the variables you want logged.
The overall format of the logfile entries is comma
separated values enclosed in quotes (commonly known as CSV). The logfiles
are suitable for importing into spreadsheet and database programs.
Example:
$logfilefields = 'name,email,F_date';
F_names
Set this variable to 1 is you want variables to be preceded by their names.
Example:
<input type=hidden name=F_fields value="name,address,phone">
Normally we dont display names, the body looks like this
Joe Smith
1234 Main St.
555-1212
However if we set F_names:
<input type=hidden name=F_names value="1">
<input type=hidden name=F_fields value="name,address,phone">
the body looks like this
name: Joe Smith
address: 1234 Main St.
phone: 555-1212
F_ok_url
This is the URL the users browser is redirected to after successful
processing of the form. Example
<INPUT TYPE=HIDDEN NAME=F_ok_url VALUE="http://www.yourdomain.com/thankyou.html">
F_orderline and F_orderline*
F_orderline gives the format of the F_orderline* variable used in
F_fields. It determines the print format of each line item (whose
QTY is nonzero). End variable names with '*' to indicate it is variable
per item.
When you use F_orderline* in F_fields, it places the entire block
of formatted order lines into the output. You can also use F_orderline*
in F_display_fields.
QTY* and PRICE*
These special names are used for order form processing. See the section
on Order Forms for details.
F_referer
Specify this variable in your F_fields list to get the URL of the
form which posted to the script. Note: some browsers do not send
referer correctly. For an example see F_date above.
F_required
You can specify a list of variables which must have a value. For example
if your form requires name, address, and phone number to have an input
use
<INPUT TYPE=HIDDEN NAME=F_required VALUE="name,address,phone_number">
Suppose the user didnt enter any address, then the forms.cgi will
invoke F_error_url with the message "Missing required input: address".
F_subject
Specifies the Subject: of the email message. See F_from for an example.
F_subtotal
This is a calcluated amount, and is the sum of all the line totals.
For example QTY1*PRICE1 + QTY2*PRICE2 + ...
See Order Forms for details.
F_taxrate and F_tax
If F_taxrate is set, will cause the value of F_tax to be calculated as
F_tax = F_taxrate * F_subtotal * 100. (The multiply by 100 is there
because the rate is a percentage). The astute programmer will notice
that seting this to a negative
number will give a discount. See Order Forms for details.
F_to
Specifies the recipient(s) of the email message. See F_from for an example.
F_totalsum and F_total
F_totalsum is a list of variables which are added together to calculate
F_total. See Order Forms for details.
Example:
<input type="hidden" name="F_totalsum" value="F_subtotal,F_tax,Shipping">
F_validate_cc
Specifies the variable name of a credit card number which will be
checked for validity. Note: this only does a industry standard checksum,
it does NOT use the banking network to check funds. It is at most
useful for guarding against mis-typed numbers. Example:
Credit Card Number: <INPUT NAME=cc_number>
Expires: <INPUT NAME=expires>
<INPUT TYPE=HIDDEN NAME=F_validate_cc VALUE="cc_number">
<INPUT TYPE=HIDDEN NAME=F_required VALUE="cc_number,expires">
<INPUT TYPE=HIDDEN NAME=F_fields VALUE="cc_number_encrypted,expires">
<INPUT TYPE=HIDDEN NAME=F_key VALUE="hjU8E6x">