Help with NMS FormMail.pl

Forum Moderators: coopster & phranque

Message Too Old, No Replies

Help with NMS FormMail.pl

NMS FormMail.pl blocking html out field

Randal

4:23 pm on Nov 27, 2007 (gmt 0)

I’m using NMS FormMail.pl script (NMS FormMail Version 3.14c1) to power the order form on my site. Works great. There is one thing though that I’ve been trying to configure (modify) without success. The script outputs a success page HTML output for each input named field. Since I am using the script for an order form, one of the named fields in the order form is for the credit card number (name=”card_number”). I am looking for a way to make the script so that it will not output the card_number in the success HTML page output. This is so that the customer can review their final order without the card number being published. Can anyone please help me figure how to do this?
I have little knowledge of perl so posting actual code examples would be a great help.
Thank you.

rocknbil

6:57 pm on Nov 27, 2007 (gmt 0)

Welcome aboard Randal, I don't know that I have very good news for you.

What you've revealed in this post is that you are emailing credit card information. Although your page is likely to be on a secure server, email is not secure. Anyone can attach a covert listening device to any one of the thousands of miles of wires, or hack a server and sniff the plain data being transferred, and steal this credit card information.

Even if you think this is secure, the credit card companies will not. Any merchant that uses non-PCI Compliant methods to capture or store credit card information can be liable for charges in arrears as well as hefty fines for violation of their original merchant agreement, which invariably outlines restriction on capture and storage. So if the answer is "well, this is what the customer wants to do" I say to you, it's your responsibility to inform them of the gravity of the situation.

To address the original problem, I don't use free scripts but it should be a simple thing to find the print loop and do something like:

if ($form{'credit_card_info'}) { next; }

But this is the least of the problems here. Sorry to bear bad news.

Randal

9:00 pm on Dec 4, 2007 (gmt 0)

Hello rocknbil,
It’s taken me a few days to reply back to you because we have simply been swamped in orders. Internet security is not my line of expertise. So, just the thought that our process might not be secure was definitely a red flag. I really do appreciate your input. It made me question our setup enough that I called my web host to confirm that we have everything setup right. Fortunately, they confirmed that we are doing everything right and everything is fully secure!

As for your suggestion on the code, I tried to apply this but am not getting close to making it work. The following is the code snippet from the script of the section that handles the html success page. Could you please provide any more detailed help to achieve blocking a specific name field from printing on the success page? Your help would be greatly appreciated.

=item success_page_fields ()

Outputs success page HTML output for each input field.

=cut

sub success_page_fields {
my ($self) = @_;

foreach my $f (@{ $self->{Field_Order} }) {
my $val = (defined $self->{Form}{$f}? $self->{Form}{$f} : '');
$self->success_page_field( $self->escape_html($f), $self->escape_html($val) );
}
}

=item success_page_field ( NAME, VALUE ) {

Outputs success page HTML for a single input field. NAME and VALUE
are the HTML escaped field name and value.

=cut

sub success_page_field {
my ($self, $name, $value) = @_;
print "<p><b>$name:</b> $value</p>\n";
}

Thank you,
Randal

phranque

7:52 am on Dec 10, 2007 (gmt 0)

welcome to WebmasterWorld [webmasterworld.com], randal!

try something like this:
sub success_page_fields {
my ($self) = @_;

foreach my $f (@{ $self->{Field_Order} }) {
next if ($f eq 'card_number');
my $val = (defined $self->{Form}{$f}? $self->{Form}{$f} : '');
$self->success_page_field( $self->escape_html($f), $self->escape_html($val) );
}
}

Randal

11:09 pm on Dec 10, 2007 (gmt 0)

OUTSTANDING!

That did the trick.
Thank you so much for your assistance and time. I really do appreciate it.
Thanks,
Randal