secure forms

You need a secure server to have a secure form. thawte.com has more information on that.

So if I have a secure web server my cgi normal form script doesn't have to change. Right?

Well, no. It depends on what you are trying to do. All a secure server does is make sure no one catches the data from the client to the server. It doesn't do a thing for malicious hacking that people do by entering say, a script, into a text area in your form.

You really need to make sure the form has some sort of testing of the strings that are passed through it to prevent that sort of thing -- depending on the language you are using, there are different ways, but they are all basically using some sort of regular expression to test the value.

In addition, it's usually helpful to use client-side validation of the data as well to help the user enter the right data (assuming non-malicious intent).

Then, make sure the form can only be processed from a particular page or server, so people cannot copy the page to their hard drive and sent malicious data from there.

I'm sure there are more tricks and tips, but that's what comes to mind off the top of my head.

If I know more about what you are doing, I can perhaps offer more advice.

Basically I just want a cgi/perl script for a simple order form that asks for a credit card number. Do you know of a script that I can use?

*sigh* there is so much more involved. Do you have a merchant account? How are you processing these credit cards? How are you transferring the information (stored on the server = bad, regular email = bad)? Do you have a secure server? Have you secured the form? Are you using a processor, or a shopping cart, or what?

The form will be accessed through email. There is no credit card processing. Its basically a email form that is secured.

You are endangering your customers. You should, at the very least, pass the information through secured email as well on a secure server (with a digital certificate). No less is required for safe data transfer.

It will be put on a secure server. I guess I am confused as to what cgi/perl code to use. If I put a basic form script on a secure server is it secure?

no. it's not. because a basic form script doesn't test the input robustly from the user. If you don't know how to do this, then have someone do it for you. Taking chances here will ultimately harm you and your customers.

For more information, I recommend you post in the Server-Side Scripting forum about how to make a cgi/perl form check for bad data.

Why are you wanting to collect credit card information if you are not going to process it? The downfall with collecting information which is then just emailed to you is that the email is not secure!

You might consider using a secure server, ENCRYPTING the CC data they enter before it gets emailed to you, and then decrypting it from a program on your computer. Because the private key will be only on your server and computer, it will make it very difficult to crack.