I have created a simple website and have a form that asks the user to input their email address to receive future updates from me.
What is the best way to save these emails. I am not anticipating having many so initially thought I could email them to myself every time someone submits theirs. I know how to do this using ASP.Net and Gmail. My questions then are:
1) Is there a way to accomplish this using just html and JavaScript and would this be better than having to use ASP.Net just for this one thing on my site (I haven't looked much into web hosting but I would have thought it would be cheaper to use just html and JavaScript)?
2) Is there a much better way to go about this that I have missed?
Thanks
Rob
Is there a way to accomplish this using just html and JavaScript
No
Is there a much better way to go about this that I have missed?
Use real mailing list software or a third party mailing list service. This will save you from having to maintain the list manually (which is error prone) and (especially if you use a decent third party service) reduce the number of indicators that your emails are likely to trigger in spam filters.
As Quentin mentioned you can't do this solely with HTML and JavaScript. You can either implement this youself (with ASP.net) or use a third party mailing service, which is the better option.
I recommend having a look at mailchimp as they provide an excellent free service and you have the option of embedding a subscription widget on your website or you can always use their API to manage that yourself.
You can't do it with just HTML and JavaScript - the reason is that the data entered is on the client side (i.e. on the user's browser), and you can't ask the user's browser to send you an email. You'd need to have the email submission send the data to your server or a third party server, which can then do what you want with the data.
you should use one of server side Languages i recommend Asp.net you can use This
SmtpClient client = new SmtpClient(mailsmtp);
client.Credentials = new NetworkCredential(mailto, mailpass);
string to = mailto;
MailMessage mail = new MailMessage();
mail.From = new MailAddress(mailto, "Form name");
mail.To.Add(to);
mail.Body = lbl_message.Text + " " + lbl_name.Text + " " + lbl_mail.Text;
mail.Subject = "subj";
client.EnableSsl = true;
client.Port = 587;
mail.IsBodyHtml = true;
client.Send(mail);
Use something like Mailchimp it's very easy to add the sign up box to your site and it's free forever if you have less than 2000 subscribers and send less than 12000 mails per month. It also provides the facility to send great looking emails... If you implement your own system you'd need a way to send the mails, and your ISP may well prevent you mass mailing from your normal email account.
Related
I'm developing a pure javascript app that will run entirely on the client side and MUST BE VERY SECURE.
At the start I need to get a password to decrypt a file, after that I don't need to save it for any future uses.
So my question is: can the window.prompt() be more secure to get this password than write it in a <input> field and retrieve it through document.getElementById().value?
Thanks
No, there is no guarantee of practical difference in security. An injected script could hook window.prompt to intercept anything entered. For example:
// In the attacker's script
const _prompt = window.prompt;
window.prompt = function(p) {
const v = _prompt(p);
alert(`I intercepted ${v}`);
return v;
}
// In your script
window.prompt("Enter your secret password");
You could perhaps take a private handle to window.prompt, but you'd have to be certain that it happened prior to point that a script could be injected.
As far as I know there is no difference as you don't seem to send the form over the network and there is no extra level of security between window.prompt and the browser (where you have to handle the entered password at some time).
As for any other vulnerabilities such as keyloggers, infected packages, weak or wrongly stored passwords, there are very much open to the same risks.
Don't know if I'd use the term VERY SECURE in regards to any javascript application, but well, there you have it.
Edit: Actually, there is one major difference. I don't think there is a way to mask the entry in the window.prompt like you can do with a form input set to type password. If there is no workaround for that, and I don't think there is, given everything else is about the same level of security, the input field is definetly more secure.
https://developer.mozilla.org/de/docs/Web/API/Window/prompt
<button onClick="window.prompt()">trigger prompt</button>
<input type='password'>
I need to send only special Users an Email. That is not a big amount. The Website must send 6 E-Mails a week. I found many solutions. I found this simple solution: https://medium.com/#edigleyssonsilva/cloud-functions-for-firebase-sending-e-mail-1f2631d1022e
When you look at the code, I need to fill out the variables. So I must type in my Email and the Password. As the web is opensource I think that is a very bad way. Do you know other simple solutions or know how to do this without typing in password?
With this solution you are using firebase functions. You most certainly want to set some environmental variables to protect some sensitives data like your gmail password.
You can do this in firebase: go check their documentation right here : https://firebase.google.com/docs/functions/config-env
The doc is going to help you set something like :
{
"mailer": {
"mail":"YOUR GMAIL ADRESS",
"password":"YOUR GMAIL PASSWORD"
}
}
So instead of you password in plain text you'll have this in your code :
'password': `${functions.config().mailer.password}`
Much safer right ?
The web is not open source. If you run a script in the browser then yes, the user can read the code. The example you link, however, runs on the server in response to HTTP(S) requests, and as such is not readable by a visitor.
Hello guys I'm trying to make a web app, basically it delete a row in data base through ajax, but I wonder, is there any way that someone edit the value sent by Ajax?
I have the next code.
$(function(){
$('.eliminar').click(function(){
alert($(this).closest('.contenedor').children('.pregunta').children('.id').text());
});
with this code I receive the id, when we use chrome we can edit html temporally obviously we are not editing the site, I wonder if this way is secure to protect the data base, other wise anybody can edit the id 89 to 64 or 4555 etc.
I hope you can help me.
Regards!
You haven't given much information regarding your server or what framework you are using. Those things will determine some of this.
You will want to setup https on your server. These are some Apache examples:
https://www.sslshopper.com/apache-server-ssl-installation-instructions.html
https://www.digicert.com/ssl-certificate-installation-apache.htm
And
Authenticate your request with, on the server you will want to have a check for authentication prior to allowing any changes. How this will actually work will depend on your framework and server.
beforeSend: function (xhr) {
xhr.setRequestHeader ("Authorization", "Basic " + btoa(username + ":" + password));
}
Reference:
How to use Basic Auth with jQuery and AJAX?
Yes. A user can edit that field.But you should never expose rest API for deleting any sensitive or generic data to any guest user.Expose only for authenticated user. If you are exposing some APIS for the guest user as well it would be good to mask sensitive info before presenting it to the client.
If you give power to delete stuff in your database to an authenticated user
then it is easy.
All users authenticated will have session cookies (something unique that identifies them when they are authenticated.)
You collect that in the server then you will know that it is them.
In your backend you should construct an authentication system which decides which user can do something or don't. You can restrict them from somethings or allow.
If you give power to delete stuff to guest users or any user.
You can write an API on top of your database operations and you only expose the right part of it to guest users.
The v2 reCaptcha has some dramatic improvements over previous iterations. When first implemented (using PHP verification btw) all it asked from my users was to check a box. Then after a few form submissions, it asked for a user to identify some images, then after a few more form submissions it asks the user to verify multiple image challenges.
Does anyone know of a way to completely turn off/ disable manual image challenges in the google recaptcha API? i.e. I want them to ONLY check the JS checkbox - like the first few times the form was completed.
I know it kind of defeats the purpose, but I'm prepared to deal with a little bit of spam if traded for a much better user experience.
I've tried:
turning off the js by adding https://www.google.com/recaptcha/api.js?manual_challenge=false (dug up the line from some old API settings)
https://www.google.com/recaptcha/api.js?fallback=false (alternative 'true' just forces a non JS version)
https://www.google.com/recaptcha/api.js?data-type=none (a shot in the dark based on their display options)
I am assuming google monitors the implementation and changes the UI intelligently. In my instance many requests from the same IP address looks like a bot and therefore requires better verification. However, it is just a single user re-submitting the same form a number of times. What I'd like to do is override this to use the minimum security always.
Google's reCaptcha assumes that each time you're challenging someone, you suspect that they're a bot, so if they have already passed a challenge, the next challenge gets progressively harder.
Thus, only challenge someone when you think they might be a bot, such as the first time they submit the form, or if they're not authenticated to your site. Once Google tells you that the user is safe, trust them unless/until you have reason to suspect that user again.
The PHP $_SESSION superglobal is probably your best bet, but as with all sessions, be certain that you're following best practices (session name fingerprinting, token entropy, session fixation attacks, mixing insecure and TLS sessions, etc.)
The way I would handle it is, when a user first successfully passes a CAPTCHA challenge, do not challenge them again.
The example below is based on the code provided by Google in their example: https://github.com/google/recaptcha/blob/master/examples/example-captcha.php
<?php
if (empty($_SESSION['isCaptchaVerified'])) {
$recaptcha = new \ReCaptcha\ReCaptcha($secret);
$resp = $recaptcha->verify($gRecaptchaResponse, $remoteIp);
if ($resp->isSuccess()) {
// verified!
$_SESSION['isCaptchaVerified'] = true;
} else {
$errors = $resp->getErrorCodes();
}
}
...
?>
<form action="/" method="post">
...
<?php if (empty($_SESSION['isCaptchaVerified'])) { ?>
<script type="text/javascript"
src="https://www.google.com/recaptcha/api.js?hl=<?php echo $lang; ?>">
</script>
<?php } ?>
</form>
This will:
Check if the user has passed a challenge before
Present the challenge if $_SESSION['isCaptchaVerified'] is not set or falsey
Not present any challenge if $_SESSION['isCaptchaVerified'] is truish
(See the PHP manual entry on empty() for what constitutes truish and falsey in this context).
Go to your admin console in google where you set up recaptcha for the site. Click on advanced settings, reduce the security preference to the least.
Solved
I have a facebook sign up and login button build using js sdk. I want to store user response into a database, but I cant get the userID or User.email with classic asp.
Sometimes it works, sometimes not, can't find pattern.
var email=response.email;
var fbid=response.id;
var fbname=response.name;
var fbbirthday=response.birthday;
var fbhometown=response.hometown.name;
document.getElementById('fbmail').value = email;
document.getElementById('fbid').value = fbid;
document.getElementById('fbname').value = fbname;
document.getElementById('fbbirthday').value = fbbirthday;
document.getElementById('fbhometown').value = fbhometown;
You can use classic ASP to get all of that information server-side. You would need to build your own framework to wrap up the HTTP Get/Post/Delete commands to the Graph API. But to accomplish getting that basic user information should be fairly straight forward once you have nice wrappers around those three HTTP verbs.
A quickie solution would be to FORM post those values back to the server. I assume you have https, so security shouldn't be an issue.