By laken on
Using Drupal 5, I've created forms in my custom module using Forms API. I have a need to put this form on a static HTML page hosted on a non-Drupal site, and have it submit to my Drupal site. How would I go about this? Which URL on my drupal site should the form submit to? Since it's static, do I need to remove the form token in some way?
Thanks in advance.
Comments
Just as a brainstorm, what
Just as a brainstorm, what you could do is create that static form, then have it submit to a custom php script in your directory which calls the Bootstrap. Once you called the bootstrap, you can then enter the values into your drupal database, or call whatever drupal function.
Good idea, but too
Good idea, but too complicated for my case. I have my form and all the form processing, validation, etc already programmed using Drupal's Forms API, so I just needed the mechanics to submit the static form into Drupal's forms pipeline.
Here's what I did
Just solved it - here's all that was required:
Sounds like that makes a
Sounds like that makes a pretty big security hole... hope you know what you're doing. My understanding is you're removing Form API's ability to validate that fields in the form only accept the type/quantity of data that's pre-determined (e.g.without it users can use their own copy of the page or simple tools to tamper with the form and submit unexpected/invalid values). If you're bypassing this security, the book I'm reading (Cracking Drupal) suggests you validate the data yourself in the submit handler. That's about all I know :D so hopefully someone else can assist with more info if needed.
This is a valid concern, but
This is a valid concern, but as I implied above, Drupal doesn't generate tokens for forms for anonymous users, because anonymous pages are usually cached and wouldn't have a unique token anyway. So what I'm doing here is no different than what Drupal does, I'm not bypassing anything. The only reason I needed to remove that hidden token field is that I grabbed the form HTML when I was logged in...
Sounds like a job for a Web service
I'm trying to leverage Drupal's vast codebase in managing submissions from external sites so I'm facing the exact same problem, only on a very large scale.
The conclusion I've come to is that by using a combination of Services/Services API, you can create an intermediate script (like esend7881 mentioned above- the bootstrap) that has unique access (as in API key / IP) to the service, then you post into just it from all over. Well, just because you have this middleware doesn't make it necessarily more secure, in fact quite the opposite. You still have to filter user input, but the choice is presented to roll your own or tie into Drupals. You could choose to cut them all off at the knees because presumably one would not try to harm oneself so red flags get piped into the trash.
At any rate, a combination of .htaccess IP whitelisting of form submissions (limited to english speaking countries where there are no hackers :P), the Services API and a transport Service, the Rules module (for spam checking following creation of the node), custom drupal services code for both saving the submissions and creating form users with unique access to the submissions per form should they not exist per form_id ..... allows me to leverage a really tight system for managing submissions from abroad with everything we need for our clients in a fairly secure way.
I'll have a demo to show shortly. For now it's just a bunch of words tied together in a way that gives the appearance of making sense.