Do I create the form like any other? yes.

SSL? that one is a must in this case.

also, think about where your going to store and secure this data, web server is NOT a secure enough place for keeping it all, ok for temp storage if you have to, but move it off the server daily. If physical copies of this data are made, then you have to secure your office and DON'T just throw something in the trash, destroy it. Too many dumpster divers out there, trust me.

[edited by: netcommr at 4:21 am (utc) on Aug. 28, 2003]

You'll need SSL, and the page the form is on and the script it posts to should both be served https. There might be other considerations: are you going to be storing the data in a database, or doing something else with it?

LisaB

SSL protects the data being sent from the user's browser to the web server, and that's it. Nothing more. It does two things simultaneously: encrypts the data, and verifies that it's sending it to the right person. Kind of like having an armoured guard deliver money to you. But that's just the beginning...

If you store the data on the server in plain text, that would be analogous to having an armoured guard delivering money to your office only to set it on the counter and leave.

If you turn around and email that data back to your client, that would be analogous to having an armoured guard deliver money to you and then you putting it in the back seat of your car and driving home with it.

And then what security precautions does the client take (in their office) once they have the data? Can any Joe-blow temp, or cleaning person for that matter, get into their database and mine all the data?

I mention this because most people don't think past SSL, when in fact it's only the first step.

Thanks! That's great stuff.

But I'm not sure how I should store these applications. If point A is the form, and point B is my client- how can I make sure the information gets from the users computer to my clients hands securely? What kind of options do I have?

Also, how would I charge for such a component?

I need to buy an SSL certificate through VeriSign? Options? This will only ensure that the information gets to the Web server safely right?

What about to my clients hands like I've mentioned previously?

I feel like twenty questions, but...

Yes, Verisign or Thawte for the digital cert + SSL enabled/configured on the hosting side.

Once the form is submitted have the script encrypt the email message using PGP or GnuPG. That would take care of the server to client end.

That last leg requires that client have had created a public and private key on their side and the server would use the public key to encrypt the message (never store the private key on the server). Then when the client receives the email they can decrypt it. There are tools and email plug-ins available that handle the client side decyrption and key generation. On the server you'd install pgp or gpg and use something like proc_open() in PHP (or its equivalent in other languages) to interface with it.

Sounds like a mouthful, I know. But hopefully will send you in the right directions.