How to correctly deploy a "satellite" form

Question

Against my recommendations to not do it, I have to set up a form that we can hand off to our affiliates and have them put on their site - I have no control over anything once it leaves me, I am hoping that the expertise in this community can give me an alternative approach to this issue. I need to code an unstyled form with the element controls which the affiliate (hopefully) will not change. The affiliate can then set the form up on their site, style it however they need to and submit it to a PHP script on my site that will A) submit it to our database and B)send some of the info to a third party. Is there something I can do with PHP - not an expert but I can usually figure it out. desired flow

The affiliates have varying levels of technical knowledge, most of it to the low end, and there is no common technology being used (we use PHP). Some potential issues

Implementation if affiliates change (for whatever reason) the input ID's and or Names it won't submit into our database
No Client Side validation supplied by me due to their skill level/programming language differences
I cant control ANYTHING on the affiliate sites, I would guess this would leave our database vulnerable?
mainly the user experience, if they submit a form that is invalid and our server side validation catches it, send them back to the affiliate page or to an error message on our site. Since the skill level/technology issue is there I can't expect the affiliates to set up a curl script and process the error message from the form submission script on their site, so I have to send them to an error page on our site. Then the affiliate would loose the lead.

These were the main issues I came up with, Im sure there are others. So I need to have something I can just hand off to the affiliates, they plug it into a page and have it work. Has anyone else had to do this before? Is there a better way to handle this? Possibly an iFrame? Ive never had much use for them due to cross domain security issues. I appreciate any advice and guidance you all can provide. I apologize if the question isn't thorough enough or viewed as well thought out. I will update it upon request. Thanks!

score 1 · Answer 1 · answered Mar 30 '11 at 18:33

1

How about instead of giving the form code to your affiliates, you simply give them javascript--either the code itself or, perhaps even better, a minified javascript file--that will create the form on their site. That way, you could include client-side validation and dictate the layout of the form elements including the ids for the form fields? All the affiliates would need to do would be to add the javascript in the desired location. You could give them some alternatives regarding the javascript; e.g., one for a form to display, one for a pop-up dialog, etc. I don't think this would cause you a cross-site scripting issue if the form's action were your PHP script on your site. Minifying the script would reduce the risk of the affiliates "fixing" it. You could even give them a separate CSS file to style the elements in the form if needed, but that would add complexity for them.

answered Mar 30 '11 at 18:33

linux4me

855
5
11

thanks for the reply! Correct me if I'm wrong (usually am) but if I give them a js file that creates the form won't they have to add the containing element's id in the script? Also I dont see the benefit of giving them a js file that creates the form dynamically as opposed to giving them HTML that they can cut and paste into their page – Dirty Bird Design Mar 30 '11 at 18:37
I don't see why they'd need to add a containing element's id in the script. I may not be understanding the question. The benefit would be that they wouldn't be able to mess with a dynamically generated form like they would an HTML form, especially if the script is minified. You'd also be able to add the client-side validation. It's a bit like a javascript-based ad on a site; some of them use forms just as you describe. – linux4me Mar 30 '11 at 18:52
this is probably due to my ignorance. I usually rely on javascript to simply validate the form, not create it. Do you mean just embed the HTML form tags in the JS? if so don't I still need to append it to some container on their page so it is placed correctly in the layout? – Dirty Bird Design Mar 30 '11 at 18:57

score 1 · Answer 2 · answered Mar 30 '11 at 18:34

1

You could give each client an iframe code to load. This iframe will load something like

You could use the AFFILIATE_ID to style the form a particular way or maybe load a stylesheet that they supply you.

answered Mar 30 '11 at 18:34

Galen

29,976
9
71
89

good idea. thx Galen - is something missing after "This iframe will load something like..."? – Dirty Bird Design Mar 30 '11 at 18:42

score 1 · Answer 3 · answered Mar 30 '11 at 18:35

1

As for validation it's really no different than any other form. Client-side validation is just advisory. You have to ensure the input structure and format in your form processing script anyway.

Then you have two options on how to handle errors. (1) If the business requirements do not forbid it, I would simply make it a full-fledged form handler. If any received $_POST field has errors, print your own pretty version of the form again. Include error messsages right there, and add Clippy (some Javascript helper) to help users fill out the form correctly.

If it's not permitted to show a customized version of the form on your end, then (2) just print the error message. Make it show up for a few seconds and provide an auto-redirect back to the original form on the partner site. It's often even sufficient to provide just:

<a href="javascript:history.back()">back to form on partner site</a>

That way the error is explained in detail, but the user can still go back to the previous form (with everything still filled in).

answered Mar 30 '11 at 18:35

mario

144,265
20
237
291

@mario, the only issue is that the one element they have to change (I forgot to mention in question) is the "referred_by" hidden input. They change that appropriately. If I print out a form on my site is there a way to "_GET" that value and append it to my version of the form. We need that to track where who they signed up with, if it's not included the affiliate won't be credited with the lead. – Dirty Bird Design Mar 30 '11 at 18:45
Sure. It's an ordinary request variable. Wether it comes via $_GET or $_POST makes no difference. You can include a hidden form field alike to preserve the value. If it's a hidden form field, then it will show up in $_POST. If you want it always to be in $_GET then reattach the id to your `
`
– mario Mar 30 '11 at 18:48
If the referring site's URL is sufficient to get the referrer, you could work around that aspect by using $_SERVER['HTTP_REFERER'] in your form processing script. – linux4me Mar 30 '11 at 18:56
I would have to strip it out correct? remove the http://www. and anything from the end back 4 spaces - thats tricky, can do but tricky. so for http://www.domain.com i would just be left with domain – Dirty Bird Design Mar 30 '11 at 19:01
@DirtyBirdD while the Referer is convenient, it is not reliable. Browsers can often be configured to suppress this header. Some company proxies even do it for privacy reasons. – mario Mar 30 '11 at 19:02
yes, i have much experience with it not working by restricting access to files based on the referrer! I think they would have to change the hidden input's value and i would have to _GET it on my form...probably just easier to print the error on a page in my site and then redirect after a couple seconds. – Dirty Bird Design Mar 30 '11 at 19:04

How to correctly deploy a "satellite" form

3 Answers3