1

I created a form in HTML and when the submit button is clicked the onclick event calls the following function:

function ProcessSubmition(){

   var stringEmailBody=BuildEmailBody();

   var stringTo=document.getElementById("SubmittersEmail").value;

   var stringSubject = "My Subject Text";

   window.location.href = "mailto:"+stringTo+"?subject="+stringSubject+"&body="+stringEmailBody;

}

There are two requirements to my project:

  1. No PHP is allowed on our server.
  2. The person filling out the form must not be able to edit the data which contains a calculate price.

The Problem:

When the function launches, the mail client window appears and displays the message constructed by the function and the user must click the "Send" button in the mail client window.
Unfortunately before the user clicks send, they can simply change the calculated price to a lower dollar amount which obviously is unacceptable.

Is there any way to hide the mail client window and auto-sent? Alternately is there any other method I could use to solve the problem?

Thank you for any help you can give me.

Improve this question
5
  • 4
    No. You need some kind of server. Commented Apr 26, 2013 at 13:29
  • Given your constraints what you really want to do is have the javascript call a web service on your server which sends the mail. BE WARNED -- if the service uses data from the call to the service then there is NO WAY to stop the user from changing the data if they want to hack your system. Commented Apr 26, 2013 at 13:31
  • 1
    You can't put trusted content client-side; there are any number of ways they can manipulate that information. Commented Apr 26, 2013 at 13:31
  • 1
    “Is there any way to hide the mail client window and auto-sent?” – don’t want to be overly rude, but … have you used your brain before asking this? If it was possible – guess how many “ch3ap v1agra!!1” mails my website could send in your name by only having you visit it … Commented Apr 26, 2013 at 13:38
  • CBroe, I have only been learning web programming for two weeks, I have been coding in C# & VB.Net for many years. Your answer really made me think and I have seen the light! I now understand what should be done in javascript and what should be done in php. I do have my own server but even I send a link to the form on my server from the company's web site the post to php is blocked with error 405. I think I will just email the link itself back to the user to bypass the company's web site. What do you think? Commented Apr 26, 2013 at 14:22

1 Answer 1

Reset to default
1

Short answer: No

The JavaScript code that runs in the context of a browser is client-side code that can be manipulated by the end-users. For that reason, you should never rely on client-side code to perform any sensitive operations.

Basically, you will need some server-side support to do what you are tyring to achieve or it will never be secure. Now, if it's dangerous for you that the users can tamper with your code, it would also be dangerous for them if your code could perform tasks such as sending e-mails on their behalf without any form of approval.

Even if you could talk directly to the mail client like you asked and make the email being sent automatically, there's nothing that would prevent users from editing the JavaScript source that generates the message and change the message content.

Alternative? If you will never be able to use any server-side technology, Maybe you could simply send the form details by e-mail and do the pricing calculations in another process afterwards.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.