CiviCRM Community Forums (archive)

I'm looking to implementing standalone forms on a public pages.   With other forms that submit emails that I've implemented (non CiviCRM or Drupal related), I've had to defend against hacking using special codes in fields that I didn't expect as well as spammers submitting the forms repeatedly.   (Amazed me that my form could be hijacked when I hard coded the to: address in the php, but they did and I implemented the standard defense against special characters used to hijack email forms)

Are similar measures in place with CiviCRM standalone forms or do we need to implement the defenses?  Where would I find the processing script for the standalone form?

<my drupal site>/index.php?q=civicrm/profile/edit&gid=2&reset=1

I'm trying to review records created by the standalone forms by assigning the new records to a special group (which is a good idea).  However, looking at the form, I see a hidden field:
<input name="group[18]" type="hidden" value="1" /> - if this is the group I'm assigning, then anyone copying and hacking the form could circumvent my group review.

Looks like double opt in is not an option and I'm not sure that we need it anyway in most cases, but that is a defense used by some sign up form processes. ( www.phplist.com www.limesurvey.org )

What are others doing with standalone forms and how are you defending them?

CiviCRM is very strange sometimes.  Let me first say that CiviCRM is by far the largest and most impressive open source application that I've every been involved with.

.... on the other hand, I'm not sure if we are running the application differently than others, but seems very odd that sometimes, what seems like basic functionality issues, don't seem to be an issue for other CiviCRM administrators.

We use CiviCRM to manage contacts - now over 8,000.   Seems very strange that every single one of them had to be manually keyed in - either to CiviCRM directly or to spreadsheets and then uploaded.   Don't others have a need to capture new supporters from online forms?  None of the new supporters will be registered users - we don't know them yet.  When placing the online form to allow automated capture of contact information on public websites, we have to defend the form against spammers - especially if the form is directly linked to our database.   Don't others have this issue?

Perhaps I'm not understanding what a stand alone form really is.  We have it working from third-party websites, especially now with 3.1.3 that we are testing.  Can a form NOT be "stand-alone" if it is on a public drupal page.   Somehow, I think we are not using CiviCRM up to its potential.

Ideas !  Should we adjust our thinking?

Well, isn't that interesting.  So standalone form means running the form from a third-party website. 

Running as an anonymous user works fine using the CiviCRM link and the Captcha works, but hard to understand.  But that's a different discussion.

Thanks for explaining how the anonymous user profile really works.

Dave