tags:

views:

74

answers:

5

I've recently found a web site where the email address is included within hidden tags in a html form. Is this a bad practice and why other than the stealing of mail addresses?

A: 

Where what email address?

The email address the form will get submitted to? It isn't very clean, but there is nothing terrible about it. (If the server side form handler doesn't check the email address against a white list then it is an invitation to spam relay, and that is terrible).

The email address the user entered on the previous page? No problems, this is just maintaining state, and it can't be stolen - only the user who entered it in the first place will get to see it. (This half of the answer removed in response to comments)

David Dorward
The mail address is static in the hidden field not entered by the user
Roland
+1  A: 

It's just a way of keeping track of the email address that must be required somewhere. Since they can't figure out by themselves your email address, I suppose that you entered it in the system before, so I wouldn't call that stealing.

As for practices, I'm not a big fan of hidden fields since they are so easy to change, but it can do the job if needed. Of course you need to have all sort of data validation on the backend treat hidden fields as if they were user inputs.

marcgg
What's the practical use of the hidden field to store a constant value if one is going to validate it's contents?
ANeves
@sr pt: Maybe it's not constant, maybe it comes from a previous step/page.
marcgg
+2  A: 

It is an alternative in using session to store the email value for a certain purpose.

Hanseh
+3  A: 

It's a bad practice.

A malicious user can use a tool like Firebug to change the hidden field's content.
He can then use your form to spam or send anonymous emails, as an example.

ANeves
Plus, spambots can grab the email address from page source.
BalusC
+2  A: 

Assumably, a field called "to" contains the email address of the organization being contacted. Since this doesn't vary by customer, it shouldn't be part of the form; it should be part of the form's target script.

Even if the "to" email is somewhat variable (say a limited list of webmaster, technical service, sales, complaints dept, etc.), the form should not contain the target email. It should contain a dropdown send-to list where the option values are integers that are used by the script to determine which email address is appropriate. Aside from security concerns, an option list like the one described is easily generated from an array. So changes to your email list are easy to make.

Keeping the email address off the contact form helps prevent misappropriation of your form for spamming. And it also keeps your email address(es) private from webscrapers.

dnagirl
+1, though not necessarily an int list - it'd be easier to read with a list of strings, as an example: "admin"; "salesRep"; etc.
ANeves
@sr pt: I meant like this: `<option value='1'>webmaster</option>`. Readability is not sacrificed and validating an integer is easier and cheaper than validating a string.
dnagirl
@dnagirl: pardon for not being clear, I really meant `<option value="wm">webmaster</option>` - so that when one read (or wrote) the code that handles the selected value one could easilly remember (or deduct) the meaning of the value.
ANeves
@sr pt: I can see what you mean. I usually keep my email address list in an array (either static or populated from a db), so the integer id is either the array index or the PK (or both). If I'm using a static array, the emails sent are the same except for address. If I'm using a db, then the differences in email processing are coded according to the values of other fields for the email record. Either way, I don't need to know what the value means. I only need to know that it is valid.
dnagirl