I am building a website for a customer who may not be very computer literate. This person knows how to use email. How can I build a website (purely html, javascript) where he can email his latest prices and the website automatically updates itself. I dont think he would be literate enough to FTP file some where. Is it possible?
How to build a secure login page and redirect to order page using only javascript and html?
How to create secure administrative section on javascript/html only website?
I would advise you to create a nice admin web interface, and teach him how to use it. Or, agree some kind of Excel format for product prices, and teach the steps of uploading a csv file. Doing things by email would complicate things in my opinion.
As in the website receives the email as data input? That's probably not going to work very well. Also, if the client is as you imply, expect those emails to be poorly formatted, filled with typos, etc. It's not a very good data entry medium by any means.
The ideal solution would be to build an admin page into the website where the client can enter the information in as controlled a manner as possible, validating the information on the spot rather than through an email (would the server send a reply email for invalid data? that would get infuriating quickly). A simple and intuitive UI should be able to overcome any computer literacy issues he may have.
I don't think this can be done purely in HTML/Javascript. It would need a server component. You would have to set up some sort of POP3 or IMAP listener that polls a mail server for correctly formatted email then dumps that into a database to update the site. Certainly not trivial.
I would build an administration portion of the site to allow the customer to log in and enter the data...no matter how illiterate, they certainly can be trained. ;-)
You could make the mail your prices thing work by just regulary checking a specific mailbox (over POP3 for example).
But that's something you won't be able to do in only pure html / javascript (and consider this: you would also need to store the mailbox credentials in client side code then!)
Email is a store-and-forward, asynchronous transport. You can use it to transport:
plain text (the body of an email)
styled text (the html body of a MIME email)
attached files
But none of those options will work well in your use case. You'd have to try to parse the body of the email if you were looking in the body for update information. -- Bad idea
And if you're using email to transport ordered data such as csv or Excel files, uploading the files directly to the website would enable a much better user interface.
You shouldn't use Excel files either since it will be too complicated for your user--he'd need to get the column (field) names exactly right, the content cells would also need to be exactly right, etc. Eg I use an excel file for input on one of my systems and a constant problem is zip/postal codes since they look like numbers but can have significant leading zeroes. Few users know how to enter them...
Recommendation create a set of web forms in the administrative section of the website. Your customer will be happy and you'll be even happier due to lower volume of support calls.
Related
I have a site with a tool on it. The tool is an HTML form that clients will save a local PDF after filing out. The form works. PayPal can be integrated for payment.
All of the code is run on the client side via javascript. I do NOT want to store any data or credentials on my server.
What I don't understand is how to protect this particular HTML file until someone has paid for it. I was hoping for maybe a randomized string for the file name that lasts 48 hours or something. Just not sure what to search for at this point.
The site backend is node.js and using Foundation CSS if that helps.
Thanks in advance.
If you use a unique/random filename as you mentioned, and have it expire after x amount of time, that will obfuscate, but not protect/secure. Obfuscation is probably more than enough for your needs, but not something that we should be providing as an official StackOverflow answer... so I continue.
It roughly sounds like you have one of those, excuse my wording here, "cheap self-help/how-to/etc pdf for sale that should really be free and probably is somewhere" type of websites. I am sure your product is fantastic and is of the utmost quality, but if you know the sites i'm referring to, and my assumptions are correct, the information below should be helpful.
As far as I understand your needs, you want a version of business logic similar to this:
User fills out form on your site
User gets redirected to paypal, or is "called to action" with a paypal button.
User pays or doesn't pay
User downloads/accesses file only if they paid.
There are a few options you can do:
If every user is getting the same file, the below methods should be similar, but simpler
Ensure you set the CUSTOM value for whatever PayPal payment method you're using to the unique ID you created for the user, and an email address if you can collect that from them. Then use PayPal's IPN to wait until a payment has been received. This IPN notification will have the CUSTOM value for the payment, which is unique per user per payment per file, and you just email them the appropriate file.
Use PayPal's Encrypted Website Payments API to create a secure button (pass BUTTONCODE=ENCRYPTED) using node.js. Secure buttons do not expose the form variables, so the client would never have access to the RETURNURL which is where your secret file is at, so there is no way they can attempt to download it. If they did find some way to decrypt the button, it would have taken them much longer than your 48 hour expiration. Either way, I doubt (no offense intended) users would be this interested in your product.
There are more ways to do this without storing user credentials on your server, but no way to do this without storing some type of data (see: code) on your server.
I have built a very simple website and paid for my .me domain. I have a simple text form for email addresses and a submit button. I would like to upload the email address to my server once the "submit" button is pressed.
I searched the internet but couldn't seem to find any help doing this. I would like the simplest solution possible. Could anyone direct me to the correct resources? Is this a relatively simple task that can be done with only HTML CSS and JS?
Just using HTML, CSS and JS wont do. You need a way of handling what the user is submitting to your server, some sort of a server side scripting language, PHP, Python, Perl, etc.
Here's a PHP sample
if(isset($_POST['email'] && !empty($_POST["email"])){
$email = $_POST['email'];
// save email address code here...
}
I would like to upload the email address to my server once the "submit" button is pressed.
For what purpose? To create a mailing list? The easiest way to do this is to sign up for an account at something like MailChimp or CampaignMonitor. They give you a simple form to place on your site that allows people to enter their email address and submit it to a database. Then, you log in to that third party service to manage the database, send out emails etc. Works very well.
You could try Windows Azure Mobile Services. Create a table to store the data and then you only need JavaScript, thus avoiding any Server Side tech. This is a paid for service of course but you can get a free trial. https://www.windowsazure.com/en-us/documentation/articles/mobile-services-html-how-to-use-client-library/#create-client
What you can do is not save the information to a file, but save it to a Data Base.
You will need to learn PHP and MySQL (the easiest ones, and there is much tutorials about them)(and probably phpMyAdmin as well).
Look for tutorials, if you don'f find a good one, tell me.
I've been looking for better ways to secure my site. Many forums and Q/A sites say jquery variables and HTML attributes may be changed by the end user. How do they do this? If they can alter data and elements on a site, can they insert scripts as well?
For instance I have 2 jquery scripts for a home page. The fist is a "member only" script and the second is a "visitor only" script. Can the end user log into my site, copy the "member only" script, log off, and inject the script so it'll run as a visitor?
Yes, it is safe to assume that nothing on the client side is safe. Using tools like Firebug for Firefox or Developer Tools for Chrome, end users are able to manipulate (add, alter, delete):
Your HTML
Your CSS
Your JS
Your HTTP headers (data packets sent to your server)
Cookies
To answer your question directly: if you are solely relying on JavaScript (and most likely cookies) to track user session state and deliver different content to members and guests, then I can say with absolute certainty that other people will circumvent your security, and it would be trivial to do so.
Designing secure applications is not easy, a constant battle, and takes years to fully master. Hacking applications is very easy, fun for the whole family, and can be learned on YouTube in 20 minutes.
Having said all that, hopefully the content you are containing in the JS is not "mission-critical" or "sensitive-data". If it is, I would seriously weigh the costs of hiring a third party developer who is well versed in security to come in and help you out. Because, like I said earlier, creating a truly secure site is not something easily done.
Short Answer: Yes.
Anything on the users computer can be viewed and changed by the user, and any user can write their own scripts to execute on the page.
For example, you will up vote this post automatically if you paste this in your address bar and hit enter from this page:
javascript: $('#answer-7061924 a.vote-up-off').click();
It's not really hacking because you are the end user running the script yourself, only doing actions the end user can normally do. If you allow the end user on your site to perform actions that affect your server in a way they shouldn't be able to, then you have a problem. For example, if I had a way to make that Javascript execute automatically instead of you having to run it yourself from your address bar. Everyone who came to this page would automatically upvote this answer which would be (obviously) undesired behavior.
Firebug and Greasemonkey can be used to replace any javascript: the nature of the Browser as a client is such that the user can basically have it do anything they want. Your specific scenario is definitely possible.
well, if your scripts are public and not protected by a server side than the Hacker can run it in a browser like mozilla.
you should always keep your protected content in a server side scripting and allow access by the session (or some other server side method)
Yes a user can edit scripts however all scripts are compiled on the user's machine meaning that anything they alter will only affect their machine and not any of your other visitors.
However, if you have paid content which you feed using a "members-only" script then it's safest if you use technology on the server to distribute your members-only content rather than rely on the client scripts to secure your content.
Most security problems occur when the client is allowed to interact with the server and modify data on the server.
Here's a good bit on information you can read about XSS: http://en.wikipedia.org/wiki/Cross-site_scripting
To put it very simply:
The web page is just an interface for clients to use your server. It can be altered in all possible ways and anyone can send any kind of data to your server.
For first, you have to check that the user sending that data to your server has privileges to do so. Usually done by checking against server session.
Then you have to check at your server end that you are only taking the data you want, and nothing more or less and that the data is valid by validating it on your server.
For example if there is a mandatory field in some form that user has to fill out, you have to check that the data is actually sent to server because user may just delete the field from the form and send it without.
Other example is that if you are trying to dynamically add data from the form to database, user may just add new field, like "admin", and set it to 1 and send the form. If you then have admin field in database, the user is set as an admin.
The one of the most important things is to remember avoid SQL injection.
There are many tools to use. They are made for web developers to test if their site is safe. Hackbar is one for example.
We send follow up emails for inquiries on our products and I wanted to track how effective they are.
This is my plan:
Update the url in the hyperlink of the email to include a query string like:
href=http://www.somepage.htm?source=fromEmail
And then track how many visits I get with the query string = fromEmail
My problem is that the page is a .htm and I didn't really want to rewrite it so I'm looking for a javascript counter that can accomodate the query string. Ideally I would like to be able to track the total page hits, as well as the hits that come specifically from these emails. Even more ideally I would like be able to track various information in SQL Server so that the person that requested this could do some reporting on it.
Am I going about this the right way or should I just rewrite it in .net (as we are a .net shop)?
While it is definitely possible to put some javascript on your .htm page that fires an AJAX request that increments a SQL counter table if the source=fromEmail, I would say that it is more reliable to have the server increment this counter when serving up the page.
Having the server do the work when the hit originally comes in will also allow you to track more specific information about the request for the report.
Javascript on emails is a no-no. Outlook by default blocks Javascript, so there goes 50% of your users. Other email systems are not keen on running javascript either. Remember, when you're doing HTML emails, you need to think 1995-vintage HTML. Thanks, Microsoft.
You've got a few (ok, but not great) options:
Include an image file on it. When it gets loaded, count it as a hit. This is how all the major services handle email tracking, with a 1px X 1px white image file that they most often place at the bottom of the page. The obvious problem with doing this is that if they use Outlook's preview pane with images enabled, it counts as a hit that they may not have read. If they read it on Gmail while not unblocking images (set to hidden by default) you've got a real hit that doesn't get recorded. So, either way, your numbers are wrong.
Track link clicks by routing links through your server. You use your server to then re-write urls for the browser to follow. Again, it works well enough, but won't capture the real numbers because only a small percentage of people who get an email actually click a link on them. Here's an example using link tagging with Google Analytics
A combination of the two above. It covers both cases, yes, but could result in double counting one user. You could also hybridize the two by setting a variable on each image that could track back to the source email, then store hits in a DB to eliminate dupes. That's a LOT of work, though.
My company sends (and tracks) thousands of emails daily as part of its core business, and we always encourage clients to do emails with "teasers" that draw them into other websites for the main content. Why? The closer we get a user to the main site, the closer we are to a sale--nobody has ever done an ecommerce transaction solely on email yet (that I know of) Also, it's one heck of a lot easier and offers far more options to do tracking via Google Analytics on a site than it is to track emails. Since you can't reliably embed Analytics in emails, your best bet is to get 'em to a website that can.
I'm working on a website for my county's fair. I want to allow my visitors to be able to ask me questions by inputing their name, email, and comment in a form like this one:
http://lincolnfair.net/images/feedback.JPG
So I guess my real question is how can I send an email (using JavaScript/JQuery) to myself with all these fields as the main body of the email.
You should use a server-side script (e.g. PHP, Python, Perl, etc.). With pure HTML and JavaScript, you can use a mailto form, but this will be very unreliable.
I will suggest uservoice.com , it can integrate with your site nicely, a much more powerful user feedback system, without spending time to code the feedback system yourself
As others have indicated, this is a typical task that can be solved easily using a server-side language. Javascript and jQuery aren't the right tool for this particular problem. To point you in the right direction, use method="post" for your form, and you can access users' submission in a PHP file by examining the $_POST variable. If a <input> element in your form has name="email" in your email, you can access that variable in PHP as $_POST['email']. If you're interested in a PHP solution, look at the documentation for the mail() function.
Jukka has a good guide on How to write HTML forms. It should give you everything you need to produce something functional.
You need a server side component, nothing client side will be a reasonable substitute for that. JavaScript won't help for a form as simple as the one you describe.
The most reliable way will be to use a server side script in your preferred language. The specifics of how to do this are probably outside the scope of this question and would depend upon your language of choice.
Your other option is to set the action of the form as a mailto: which will use the visitors preferred email client to send the email. This will work but is really bad and relies on the viewer having an email client installed and configured.
you can find out more information about the mailto option at http://www.chami.com/tips/internet/010597I.html
Another good option would be a third party site such as www.wufoo.com which handle all of the email business server side for you on their own servers. I believe Wufoo even allow you to embed their forms within your own site.
If you want it to be available on every page, you might want to consider using jQuery and the UI Dialog plugin. You could set it up so that the default feedback is a mailto which gets replaced using javascript with a link that brings up a jQuery Dialog containing the fields you want to collect. This could be submitted back to your server via AJAX and delivered to you via email from the server.
EDIT: Since you've edited your question to indicate a server-side only solution, the above seems somewhat out of context. With others, I would agree that using some client-side code to actually send the email is the way to go (as alluded to above). I think it's preferable to use your own server for this, but I'm sure that you can find many "form to email" services. I would avoid these, unless you want your email addresses harvested for use in SPAM. You might also be able to use a signed applet or ActiveX control for this, again I would not go down that route. As indicated above, I would let the browser handle the interface, but my server handle the sending of the email.
I am not sure i understand your question completely, but if all you want to do is conduct a survey over email, i don't think you need to use jQuery or HTML.
A very simple way to do it is to use the 'Forms' feature in Google Docs.