How to make a form secure?

Hi, Ive searched the forums quite a bit, seen several posts about SSL, but none are really answering my quesiton:

My client has a from that their client has to fill in. Some of the fields are banking details which my client has to use to activate a debit order on their client's account. For this reason, my client is concerned about the safety of their clients banking details and asked me: "Can you make the form secure?"

So this is it: is there a way to make the form secure while the client is filling it in?

Kind regards,
Riaan Eloff

Hi Riaan,

As far as I know if the page is set to use an https URL then ChronoForms will use SSL.

However there are no special security settings in ChronoForms. You would be well advised to make sure that the Security Tokens are set on and that data is carefully validated and saved in encrypted form as far as possible.

Bob

Ah, thanks for the quick reply Bob, much appreciated.

My problem is: much of what you said sounds very much like Greek to me... ;-)

This is why I was asking about it...my issue is more a "how to" exactly...i.e.: press this button, select that option, enter this detail into that space.

What I do realize from what you are saying is this: it appears that my issue is not so much a ChronoFroms methodology or "how-to" issue, but rather a general knowledge-about-SSL issue, which leads me to believe that I need to start searching for education about what SSL is, how exactly it works and is implemented on a website using Joomla! etc.

The reason I say this is because you say: if the page uses SSL chronoform will use SSL, so my assumption is that I need to do something in Joomla! to make the chronoforms page secure (SSL encrypted, I assume?), and chrono will follow suit automatically, in a sense?

Cheers

Hi Riaan,

My knowledge of SSL is pretty basic. Fredrik (nml375) knows much much more than I do and hopefully will give you a better answer. (There are some existing threads on this but from several months ago now.)

I think that you need an SSL certificate - usually available through your ISP or one of the web 'Trust agancies' and you may need an extra module enabled in your site setup somewhere. Then any data transferred through URLs prefixed with https will be encrypted.

Wikipedia may well tell you much more.

Bob

Hi Riaan,
As for implementing the HTTPS/SSL layer, that's done within the web server software, and (virtually) transparent to the underlying CGI application (in this case, PHP, which then runs Joomla).

Start with entering the address to your site, but prefix it with https:// instead of http://
That will tell your browser to try and access the site using an encrypted connection, and if your server has been set up properly, you should see your website just as usual.

If you don't see your webpage, or get various warnings, then the server is not properly setup to handle HTTPS for your domain, and you'll probably have to get in touch with your service provider.

Once your server is setup properly and certificates are in order, the next step would be to head for the menu manager in Joomla. You should edit any and all links heading to your Form(s), and make sure you set the "SSL Enabled" System Parameters is set to yes. This will ensure that these menu-links will always start with https:// regardless how the user entered the webpage.

As an extra "safety", you could add something like this at the top of your form html code:

<?
  $application =& JFactory::getApplication();
  $url =& JFactory::getURL();

  if ($url->getScheme() != "https") {
    $url->setScheme('https');
    $application->redirect($url->toString());
  }
?>

That should force the browser to redirect to the secure form, should the user try to access the unsecure one.

/Fredrik

Hi Bob, thanks for the reply again.

After reading your post, and replying, I popped over to hostgator (I'm a hosting reseller with them). Asked about SSL and they referred me to some knowledge base articles and details on how what & where. Gonna be working through that now, and suspect that I'll then be able to at least make the page secure. If all works well, that'll answer my question. If I run into any issue at that point, I'll scream and shout this way again ;-)

Thanks for the assistance.

Ahh, See Bob beat me to it on this one😉
Nevertheless, feel free to ask further if you get stuck anywhere in the process.

One thing you might also care to think of, is the security/integrity of the submitted data once it's processed by ChronoForms. Sending such details through Email is at best reckless, in some cases in violation of laws®ulations. Depending on the details, you might also need to strengthen the security of the Database storing the data.

/Fredrik

I have personal ssl certificates installed in root folder of site on Linux server. Web host says I need to put any forms I want ssl protected in that folder. How do I do this with the form I made with Chronoforms? My knowledge of php is rudimentary at best.
Thanks,
Scott

Hi Scott,
To me, it sounds like you'll have to copy your Joomla installation to that folder.

/Fredrik

Thank you for your quick reply.

Can you be more specific? Do you mean the public_html folder? Would that put the whole site under https? We would just want the forms to be https I would think. This is my first time through with both setting up the form and now using ssl certificates.

Scott

Hi Scott,
Yes, that would make the whole site available through https. The thing with Joomla, is that there isn't a separate php-file for each page. Instead, most files are instead library files, components, and so on - which fetch the actual content from the MySQL database and generates the "pages" on the fly. Thus, there's no single php-file containing one of your forms, and ChronoForms depend on many of the library files of Joomla further.. You could try and only pick the bits'n'pieces that are used for rendering the form, though I would most certainly recommend against it - you'd probably end up with 90% of the code or more in the end anyway if you are displaying any menus, modules, etc on the form page...

/Fredrik

Hi Fredrik,

Thanks for clarifying this. I agree, I don't want to try to hunt and peck.

So you wrote, "that would whole site available through https." If I understand correctly that means not necessarily available through https. How would I then have the form go through https or would the whole site be https?

Thank you for your patience.

Scott

Hi Scott,
The entire site would generally be accessible through both http and https. Generally, any link on the site will retain the http or https protocol. Further, in the menu controls you'll find a setting to force a page or menulink to be presented as https. Also, with ChronoForms, you can easily add a piece of php-code to check whether the user tried to load the form through http or https - effectively preventing the form from rendering and/or passing the Serverside Validation if it's not https..

/Fredrik

Hi Fredrik,

I will look where you suggested.

I checked with web host (Brinkster). The tech said I would just drag the public folder, containing the site, into it's sibling in the root, named 'secure.html'. That it would take a long time.

When I asked him about whether site could be found via http and not https and also how to make sure forms were sent via https and that folks sending would be assured of this, he sent me this link to information on redirects: http://www.askapache.com/htaccess/ssl-example-usage-in-htaccess.html

Not sure yet which of these I might need. I'll need to study both what you sent and the info at the link above. I have a sense some of what you mentioned in Joomla and Chronoforms will take care of this. If so, even more kudos.

Any more thoughts you have on this of course more than welcome.

Great thanks.

Scott

Hi Fredrik,

in the menu controls you'll find a setting to force a page or menulink to be presented as https.

Is this under 'menu item' > 'parameters (system) > 'ssl enabled' > 'yes, no ignore'?

Thanks,
Scott

Hi Scott,
Yes, that's the one. A word of caution or to clarify my previous post: This will make certain that the menu-link on the page is https, however, it will not prevent a user from copying the link URL and manually remove the "s".
If it is imperative to force a user to use htps, rather than "recommend", then you'll need some slight costomized code. You could adapt some of those htaccess rules, or use 3-4 lines of php-code in your form. I believe I posted such a piece of code some time ago, but I'll see about posting an example later tonight.

/Fredrik

Hi Fredrik,

Is it this code from one of the first posts in this thread?

    <?
      $application =& JFactory::getApplication();
      $url =& JFactory::getURL();

      if ($url->getScheme() != "https") {
        $url->setScheme('https');
        $application->redirect($url->toString());
      }
    ?>

Your earlier post makes more sense now.

Rather than drag the site folder over to the 'secure' folder, I think I'll backup then copy it to that folder.

Thanks,
Scott

Hi Scott,
Yes, that was the post I was thinking of.. guess I should've checked this post first😉

/Fredrik

Hi Fredrik,

Copied site into 'secure' folder in root. Pasted the above code, as is, into the Chronoform html, just under the title.

After I entered return I receive a blank page in the browser. Was there something I should have changed in the code?

The page when http changed to https brings back a security warning:

helprofessionals.com uses an invalid security certificate.

The certificate is only valid for the following names:
*.brinkster.net , brinkster.net

(Error code: ssl_error_bad_cert_domain)

Thanks again for your patience.

Scott

Hi Scott,
That means there is something wrong with the certificate, or the wrong certificate is in use. Your web-hoster should be able to provide further assistance with this.

/Fredrik

I'm chatting with them now. The code was okay as copied?
Scott

Hi Frederik,

I copied the whole site folder, Public.html, into 'secure' folder. What I need to do is copy the material out of the public folder and into that folder. I'll do this using ftp.

Here's the exchange,

Tech: I see that you copied all of the public_html folder insided the secure_html. You need to copy the content inside the Public_html out of that folder and place directly in the secure_html.

Basically you need to have all the files inside the secure_html folder without the public_html folder being there.

me: Okay. What's the most efficient way to get there from here?

Tech: You will need to use FTP to drag the files out of the public_html folder into the secure_html.

I write all this for others who may stumble along this way.

Scott

Hi Frederik,

I copied out as instructed and site works okay. However, when I used the form link I received the same certificate error. Turns out we had added a new site name; I was going through an old link and the old site name is not covered by the certificate. Using new name it works.

This raises another issue. What to do about the old name. Normally it redirects to the new name.

Here are some options that occur to me:
[list]1. Delete the old name
2. Buy another certificate for it
3. Redirect it to new https[/list]

Of the three the latter seems best.

Q's: Are there overlooked options I should consider? If option 3 is best, what are some ways to implement that?

Thanks,

Scott

Hi Frederik,

Another security concern is raised by you comment earlier in this thread,

One thing you might also care to think of, is the security/integrity of the submitted data once it's processed by ChronoForms. Sending such details through Email is at best reckless, in some cases in violation of laws®ulations. Depending on the details, you might also need to strengthen the security of the Database storing the data.

As it stands now - as I understand it - Chronoform emails the data entered on the form to the person who will process it. SSL will not be covering that, right? If this is correct, what measures would you suggest I take to more securely get that data to her?

Thanks,

Scott

Hi Scott,

I copied out as instructed and site works okay. However, when I used the form link I received the same certificate error. Turns out we had added a new site name; I was going through an old link and the old site name is not covered by the certificate. Using new name it works.

This raises another issue. What to do about the old name. Normally it redirects to the new name.

Here are some options that occur to me:

1. Delete the old name
2. Buy another certificate for it
3. Redirect it to new https

Of the three the latter seems best.

Q's: Are there overlooked options I should consider? If option 3 is best, what are some ways to implement that?

Those are roughly the options you've got. One concern with option three however, is that the redirection is done after the ssl handshake has been done. As such, very strict browsers might still complain or show a warning to the visitor.

As it stands now - as I understand it - Chronoform emails the data entered on the form to the person who will process it. SSL will not be covering that, right? If this is correct, what measures would you suggest I take to more securely get that data to her?

If you choose to email the form data (which is optional), this will be unencrypted, and not covered by the SSL layer. There are, however, functions to encrypt emails using PKI (Public Key Infrastructure). You'll have to do all the mailing manually for this though, as ChronoForm does not implement this code.

Storing the data in the database instead is usually "safer", in the sense that the database server is most likely housed on the same logical net. This reduces the risk of eavesdropping, though the connection to the DB server is usually not encrypted. You still have to face the issue of granting the operator access to this data in a secure manner.

/Fredrik

Hi Fredrik,

Thank you again for clarifying the issues. Perhaps if I explain the situation it might help as I'm not seeing quite how to do the last option you mentioned.

The site is for a business where therapists make home visits. Anybody can refer someone for services.

Later when we have this process working I'm sure we'll also being using it for the therapists to send in other information. Currently documents are being downloaded, printed out, filled out then faxed in.

So there are folk out in the internet sending in private info to an administrative assistant who processes it.

Scott

It's late for me here for me, Fredrik. My latest reply stands. However, on re-read, it seems to me that this might be how that would work:
1. Folk would enter data into the db via the form.
2. Notice would be sent to the admin assist.
3. She would go into the db and retrieve the info.

If this is the better of the options for this business, would you clarify some of the points - or point me in the direction of finding them (btw, I have Bob's book on order - when will it be published?)?

For step 1, where in the form do I set it so the data stays there and in what state?
Step 2, suggestions for setting up notification;
Step 3, How to make this process non-tech friendly. We got the email results just the way she loved them.

Scott

Hi Scott,

First off, the book is due any day now . . . getting hard info from Packt is next to impossible though. I signed off on the book text, the code bundle and various other things last week. I'm told that the final pdf has been uploaded so I assume that we are in the queue waiting for their web people to do the updating or maybe for them to approve proofs from the printers.

From what I understand of what you wrote her I'd create a ChronoForms + ChronoConnectivity app. I'd use a ChronoConnectivity list with restricted acccess to provide the database info to the admin and add some actions for her through ChronoForms.

Bob

Thank you, Bob, for the book update and pointing me in the direction ChronoConnectivity app. I've wondered what that is; time to go find out.

Will there be info about this in your book?

Scott

I've installed ChronoConnectivity and have begun setting that up.

Along with that I've changed the email option. That was sending completed form info successfully.

Following the tutorial on sending data to the database all seems to work okay. However, when I 'view the record' I do not find any of the data that I've entered in the form. Same result when I back up to Excel or csv.

Am I missing a setting somewhere? Seems like I need to do this before using CC.

Scott

PS Here's info from screen post submitting:

Home
Form passed first SPAM check OK
Form passed the submissions limit (if enabled) OK
Form passed the Image verification (if enabled) OK
Form passed the server side validation (if enabled) OK
$_POST Array: Array ( [Clients_name] => scott test [Date] => 1/1/1 [DOB] => [Street_address] => home 12324 [City] => san diego [State] => ca [Zip] => 92131 [Telephones] => 858-610-3488 [textfield] => [textfield2] => [Referred_by] => [rPhone] => [Agency_Name] => [Social_Security_Number] => [Insurance_Info] => [Medicare_Number] => [Effective_Date] => [Other_Insurance] => [Primary_Physician] => [Telephone_Number] => [psychiatrist] => [psTelephone_Number] => [Reason_For_Referral] => [Clients_Support_System] => [Psychotropic_Meds] => [insurance_verification] => [CLINICIAN_ASSIGNED] => [acceptancedate] => [REQUEST_FOR_PSYCHIATRIST] => [psydate] => [notes] => [Submit] => Submit [074402fe859f2595d7801e9a06a3dd85] => 1 [1cf1] => b4d7f7c25a75ccac0f3fc2d8f7866f85 [chronoformname] => referral_sheet )
$_FILES Array: Array ( )
Form passed the plugins step (if enabled) OK
Debug End

Hi scott1137,

You don't say which parts of the input info are beign saved or not being saved. The usual casue of this problem is that you didn't select all the bars in the Create Table dialogue. **green** bars are selected, **red** bars are not selected (the UI is really bad).

Bob

Hi Scott,

ChronoConnectivity is a sister product to ChronoForms that lets you display a list of entries from a database table. It is fairly easy to add quite sophisticated filters and column sorting and links to let you view or edit more detailed records.

ChronoConnectivity didn't make the book - there was a chapter in the original outline but it got squeezed out by the overall page limit. Maybe next winter I'll get to write the CC book.

Bob

Hi Bob,

Have been enjoying tinkering with ChronoConnectivity. Still need to get this table things st right first.

I see now the green check in the red means to enable - not that it's enabled.

Q: How to safely undo the table I've set up - I'm paranoid about losing the form. I tried creating a table from a copy of the form and received this error telling me the table was already there.

Error while creating table :Table 'jos_chronoforms_referral_sheet' already exists SQL=CREATE TABLE `jos_chronoforms_referral_sheet` (`cf_id` INT(11) NOT NULL auto_increment, `uid` VARCHAR(255) NOT NULL, `recordtime` VARCHAR(255) and so on

Scott

Hi scott1137 ,

You can drop a table from PHP MyAdmin or from the ChronoForms Tables Manager. Won't do any harm to the form - but you will lose any saved data.

Bob

Thanks. Done successfully.

Filled out form with data. No data comes through, at least when I look at Excell, csv exports, and did a search for data entered using phpmyadmin. The table headings all there from the form; no data.

Scott

Hi Scott,

You need to refresh the DB Connection after any changes to database column names. In the Form Editor click the DB Connection tab and set the Connection to 'No'. Click the 'Apply icon in the toolbar to save the form, open the DB Connection tab, set the Connection back to 'Yes' and re-save the form. This will refresh the copy of the table information that ChronoForms uses.

Bob

Should I have re-dropped the table first?
This time I received,

You are not allowed to access this URL

I'm still logged into admin.
Scott

Hi Scott,

The two shouldn't be connected. What's the URL you see when you get that message?

Bob

Bob,

I went through the create database steps from beginning after dropping table and refreshing. Lost that url.

Now, I'm getting a blank return with this url:
http://helprofessionals.com/index.php?option=com_chronocontact&task=send&chronoformname=referral_sheet

Scott

Hi Scott,

Please set Error reporting to Maximum in the site Global Configuration and see if you get a useful error report.

Bob

Now I can't log into Joomla - says I don't have admin privileges.
Can get to database via phpmyadmin.

As I wrote I have access to the database via myphp. Also have access to site files via ftp. I backup site so have a local copy. However, I've made quite a few changes since then.
recent posts. Any suggestions where I might look to get privileges back? Must be something in one of the data tables, I'm guessing.

Scott

Bob or Frederik,

Ran a sql query per instructions here:http://docs.joomla.org/How_do_you_recover_your_admin_password%3F
and received this error:

SQL query:

INSERT INTO `jos_core_acl_aro`
VALUES (
NULL , 'users', LAST_INSERT_ID( ) , 0, 'Administrator', 0
);

MySQL said: Documentation
#1146 - Table 'scott4a.jos_core_acl_aro' doesn't exist 

This suggests this table may have been dropped. If so, can you suggest how would I replace that table from my backup?

Thanks,

Scott

Hi Scott,

This is starting to sounds serious. You shouldn't have lost this table through anything you did with ChronoForms unless you dropped the wrong table by mistake?

If you open the backup you should find a long SQL List - you'll need to look for the section that creates this table and post it into PHPMyAdmin, iT will look something like this

--
-- Table structure for table `jos_core_acl_aro`
--

CREATE TABLE `jos_core_acl_aro` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `section_value` varchar(240) NOT NULL DEFAULT '0',
  `value` varchar(240) NOT NULL DEFAULT '',
  `order_value` int(11) NOT NULL DEFAULT '0',
  `name` varchar(255) NOT NULL DEFAULT '',
  `hidden` int(11) NOT NULL DEFAULT '0',
  PRIMARY KEY (`id`),
  UNIQUE KEY `jos_section_value_value_aro` (`section_value`(100),`value`(100)),
  KEY `jos_gacl_hidden_aro` (`hidden`)
) ENGINE=MyISAM AUTO_INCREMENT=16 DEFAULT CHARSET=utf8;

--
-- Dumping data for table `jos_core_acl_aro`
--

INSERT INTO `jos_core_acl_aro` VALUES (10,'users','62',0,'Administrator',0);

You may possibly have other tables missing or damaged.

Bob

Thank you, Bob.

Yes, I'm thinking I must have dropped it by mistake.

I will do this tomorrow when I'm fresher.

Could you say a bit more about what you mean by

post it into PHPMyAdmin,

?

Scott

Hi Scott,

Basically - click the SQL tab, paste in the code, then click 'Go' and check for any error reports.

Bob

Thank you, Bob, for the clarification.

Now to get out my PHP/MySQL text to help me recall how to use my XAMPP with the local file.

Need to go out for a meeting; will get back at this in 1/2 day and update.

Many thanks,

Scott

That worked!!!

The 3 exclamation points are because of the three days of researching and posting elsewhere - I'm spoiled by yours and Frederik's responsiveness - and discovering on my own I can open the .sql folder in text editor and copy/paste as you instructed. Piece of cake, took seconds (now that I know).

Now where was I...

Many thanks.

Scott

Back to Aug 19th, where you wrote

Hi Scott,

Please set Error reporting to Maximum in the site Global Configuration and see if you get a useful error report.

Bob

In response to

Post by scott1137 » Thu Aug 19, 2010 11:44 am
Bob,

I went through the create database steps from beginning after dropping table and refreshing. Lost that url.

Now, I'm getting a blank return with this url:
http://helprofessionals.com/index.php?o ... rral_sheet

Now I do not get a blank page but get this:

Parse error: syntax error, unexpected T_STRING, expecting ',' or ';' in /sites/xxx/yyyy/home/public_html/components/com_chronocontact/chronocontact.php(53) : eval()'d code on line 31

Fatal error: Call to a member function bind() on a non-object in /sites/xxx/yyyy/home/public_html/components/com_chronocontact/libraries/customcode.php(71) : eval()'d code on line 13

[xxx & yyy are not actual site data]

Thanks,

Scott

Bob,

Also found these messages in Forms manager:
[code]
Warning: file_put_contents(/sites/xxx/yyy/home/public_html/administrator/cache/9b8ac9887872716cae1ceea4dea3bd58.spc) [function.file-put-contents]: failed to open stream: Permission denied in /sites/xxx/yyy/home/public_html/libraries/simplepie/simplepie.php on line 8666

Warning: /sites/xxx/yyy/home/public_html/administrator/cache/9b8ac9887872716cae1ceea4dea3bd58.spc is not writeable in /sites/xxx/yyy/home/public_html/libraries/simplepie/simplepie.php on line 1779

Warning: file_put_contents(/sites/xxx/yyy/home/public_html/administrator/cache/9b8ac9887872716cae1ceea4dea3bd58.spc) [function.file-put-contents]: failed to open stream: Permission denied in /sites/xxx/yyy/home/public_html/libraries/simplepie/simplepie.php on line 8666

Warning: /sites/xxx/yyy/home/public_html/administrator/cache/9b8ac9887872716cae1ceea4dea3bd58.spc is not writeable in /sites/xxx/yyy/home/public_html/libraries/simplepie/simplepie.php on line 1779[code]

Scott

changed security settings on simple pie folder and to simplepie.php to 777 with no change.
Scott

Hi Scott,
The simplepie messages are related to the tip of the day. Disable that in the ChronoForms setup, and they'll go away.

The other messages suggests that you've got a space in one of the tablerow colums of your database, as well as in your form. You'll have to change that into a _ (or remove it completely), both in your form and database table, then refresh your DB connection in your form (disable DB connection, apply, enable DB connection again, save).

/Fredrik

Thank you, Fredrik.

Fredrik,

I'm not finding the place to disable simplepie.

Both of these error sets are new since the recent dropped table fiasco. The form sould have been untouched but then I'm really new to databases...

Scott

Hi Scott,
Look for the icon "Settings" to the far right of the main Forms Manager (right next to the backup forms and restore form icons). This should open a new window (shadowbox) with a few settings. One of these is "Show Tip of the Day", make sure this is disabled.

The form input causing the trouble is the "REQUEST FOR PSYCHIATRIST" - you'll have to alter that in your form code. Also, using phpmyadmin, locate the database table you connected to your form. Check if there is a table field name like that. If there is, use the edit button (looks like a pencil) for that field and alter the table field name to match the one in the form.

Once both the form and the database table is fixed, refresh the DB Connection in your form as mentioned earlier.

/Fredrik

Hi Fredrik,

Found a number of spaces in one of the values in the form code and repaired that.

Looking at the database via phpMyadmin, it all looks okay - not able to find the space.

"jos_chrono_contact" is only one that shows up when I search for nearby values.
"jos_chrono_referral_sheet", the form, has no records in it.

When I browse the first in phpMyadmin there is no space; the second is not browsable this way.

I did learn a little about using command line once but it's been a while...

Oh, just saw your message that came out as I wrote this.I send this in case there's something helpful in it while I do what your wrote.

Scott

Yes! That got it.

There were no errors in the chrono_contact but were in the c_referral_sheet table as well as the form.

By the way, In English in my version of Joomla there a tab on the right that's called 'Parameters' instead of Settings which did what you described.

Many thanks to you and Bob for your patience and responsiveness.

Now on to whatever I need to do next with Chrono Connectivity but I need a breather first...

Scott

Hi Bob, Frederik,

When I backup a record with csv it works. When I backup with Excel (Office 2007), I get this error:

<b>Warning</b>:  tempnam() [<a href='function.tempnam'>function.tempnam</a>]: open_basedir restriction in effect. File() is not within the allowed path(s): (/sites/xxx:/tmp:/usr/lib/php:/var/www/html) in <b>/sites/xxx/yyy/home/public_html/administrator/components/com_chronocontact/excelwriter/PPS/File.php</b> on line <b>87</b><br />

This probably a function of something in Excel and not a show stopper but for completeness thought I'd pass it along. However if it means there's something wrong with my Joomla or ChronForm set up please let me know.

Scott

Hi Scott,
A long story made short, the ExcelWriter library needs to use some temporary files during the creation of the excel-document. Unfortunately, it tries to create this file in a directory the web server won't permit.

A fix would be to call the setTempDir() method of the $xsl-instances at admin.chronocontact.php:1590

        $xls =& new Spreadsheet_Excel_Writer();
        $config =& JFactory::getConfig(); //Get the set of configuration parameters..
        $xsl->setTempDir($config->getValue('config.tmp_path')); //.. and set the ExcelWriter temppath accordingly.
        $xls->setVersion(8); // this fixes the 255 limit issue!🙂

/Fredrik

Hi Frederik,

What does the ":1590" refer to in

admin.chronocontact.php:1590

Are you writing about the chronocontact.php file? I show only 137 lines in it.
Scott

Hi Scott,

It the file in the administrator/components/com_chronocontact folder (which is around 2,800 lines).

Bob

Thanks, Bob.

Did first run of Connectivity with this form and received:

Notice: Undefined offset: 1 in /sites/xxx/yyy/home/public_html/administrator/components/com_chronoconnectivity/admin.chronoconnectivity.html.php on line 658 uid

in each of the horizontal header boxes (replace "uid" in this example with the appropriate label for each of the others).

Wish your ChronoConnectivity book were out.

Scott

Bob, Fredrik,

Regarding the Excel problem: inserted code prior to similar code and also replaced the four lines of code with your work around. Neither changed anything.

Thanks for your patience (should add this to my signature)
Scott

re: ChronoConnectivity results notice, here is the code from line 658

	}else if(thisitemtype == 'cf_fromemail'){
theitem.empty();

The code looks the same as others nearby except for the "cf_fromemail." I've searched database for it and ones like it in other expressions. No luck.

Looking elsewhere in the file where it shows up it seems to be part of the emailing of the form, no? But I have that turned off.

Scott

Hi Scott,

Hmmm . . . not sure why you have switched to looking at ChronoConnectivity files? I though this was a ChronoForms question?

Bob

Hi Bob,

This thread has been long with some side tracking - hopefully educational for others who may stumble across similar issues...

To refresh...
After I got the ssl straightened out these was this discussion around the (in)security of using email reporting,

As it stands now - as I understand it - Chronoform emails the data entered on the form to the person who will process it. SSL will not be covering that, right? If this is correct, what measures would you suggest I take to more securely get that data to her?


If you choose to email the form data (which is optional), this will be unencrypted, and not covered by the SSL layer. There are, however, functions to encrypt emails using PKI (Public Key Infrastructure). You'll have to do all the mailing manually for this though, as ChronoForm does not implement this code.

Storing the data in the database instead is usually "safer", in the sense that the database server is most likely housed on the same logical net. This reduces the risk of eavesdropping, though the connection to the DB server is usually not encrypted. You still have to face the issue of granting the operator access to this data in a secure manner.

/Fredrik

From what I understand of what you wrote her I'd create a ChronoForms + ChronoConnectivity app. I'd use a ChronoConnectivity list with restricted acccess to provide the database info to the admin and add some actions for her through ChronoForms.

Bob

My goal for this phase is the form will deposit the form data into the database, report to the admin assist that there is a new entry and present her with a user-friendly but secure way to retrieve what she needs.

I'm not at all clear how to get ChronoConnectivity to do this but am hopeful that by following the tutorial and with the forums support I'll get there. The output quoted in yesterday's post was from my first run at using ChronoConnectivity, following the tutorial.

Best,
Scott

Hello?

Bob, you wrote earlier in the thread,

I'd create a ChronoForms + ChronoConnectivity app. I'd use a ChronoConnectivity list with restricted access to provide the database info to the admin and add some actions for her through ChronoForms.

Would you (or Fredrik, or any viewer)
1. suggest next steps more concretely.
or
2. point me in the direction of an app like you described so I might use it as a tutorial?

I'm a beginner at php and databases.

Thanks
Scott

Hi Scott,
Regarding the Excel export: The two lines to add in my previous post should retrieve the tmp_path site setting, and instruct the ExcelWriter library to use that as a temporary directory. This is usually set to /tmp or /path/to/public_html/tmp. Leaving this unset should let "tempnam()" use the system temporary directory instead. Looking at the error message, either location should be within the open_basedir restrictions.

Regarding ChronoConnectivity: This is probably due to a mis-match between the "Data View Fields Names" and "Data View Columns titles" settings on the "Admin Settings" tab. There has to be one title for each field name you've selected in the list.
Also, the line you posted is unfortunately from the wrong file (I believe you were looking at the ChronoForms code there).

Next step:
I take it you've got your ChronoForms Form up'n'running, storing data to your DB table? Did you also setup/modify the email template to send a notice to your data administrator(?)
How far have you gotten setting up your ChronoConnectivity application?

/Fredrik

Hi Fredrik.

I'm in the middle of running about to meetings today so here's quick answer and will pursue the issues in the first two of your paragraphs a little later.

Yes, Chronoforms form is running and sending data to database. I only disabled the email option. It did not occur to me to use that to send her notification. Will look into how to do that as next step.

re: ChronoConnectivity - I took my form info and used that to follow the tutorial for CC. That output is what I reported. Not sure if this is what you meant by "setting up the CC app." This is the area that's least clear to me.

Thanks,
Scott

Fredrik,

Here's the code from line 658 of the correct file, I believe:

<?php echo JHTML::_('grid.sort',   $Columns_title, $Columns[$counter], @$lists['order_Dir'], @$lists['order'] ); ?>

Regarding ChronoConnectivity: This is probably due to a mis-match between the "Data View Fields Names" and "Data View Columns titles" settings on the "Admin Settings" tab. There has to be one title for each field name you've selected in the list.

Title doesn't need to match case or anything, right? Just match up number-wise?

edit: it's late here but I count one more "column titles" than "field names" but haven't found the culprit yet. Will use fresher eyes in the am.

Thanks,
Scott

Hi Fredrick,

Looking under the Admin settings tab in the box to the rights of "Data View Fields Names: there are 35 in the list.

Looking in the same area to the right of "Data View Columns titles:" there are also 35 values.

There was a space between a comma and one of the values which I removed to no avail.

The info bubble in the Data View Fields name area says there needs to be commas between fields. No commas show in that box (they are listed vertically) but no way I can see to add or edit in that box.

Thanks,

Scott

Hi Scott,
Matching up in numbers should suffice - The "titles" entries are merely used for visual representation.

The info for the "Data View Fields" is alittle outdated, you should simply mark all of the Field names you'd like to be shown in the admin "show data". For each field you've marked in the list, there should be one entry (or label) in the "Data View Columns titles" input, each value separated with a comma (,).

/Fredrik

Hi Fredrik,

I believe I've done that. for now I want all fields to show, including 'cf_id' and 'u_id' as I'm not sure whether we'll need those two. Maybe the problem in the first one (cf_id) as it did not have an error message in it's box in "Show Data."

If so, how would I not use it - or any other field/value I decide to not show in the "Show Data" output?

I'm also unclear about what you mean by "mark." Do you mean something like informally note on a print out?

Thanks,

Scott

Hi Scott,
Try clicking one or more of the items in the list, and you should see the background change (most browsers shows it as blue, I believe). In order to mark several items, you might have to hold down ctrl, or select a range by clicking the first item, then press and hold shift while clicking the last item.

/Fredrik

Hi Fredrik,

I can do this with the Column Titles list.

With the Data Field Names list I can highlight any, some, or all of the items but cannot edit or copy them.

If I delete an item from the column titles list will that cause a mismatch of number or title to names or both?

I am using FireFox 3.6.8 in XP pro.

Thanks,

Scott

Hi Fredrik,

I removed "cf_id" from the list of column titles and re-ran.

Now the show data sheet with the error is the same except the first column is dropped and now what was the second column shows no errors and they start with the next as before.

Scott

Hi Fredrik,
You asked recently,

Did you also setup/modify the email template to send a notice to your data administrator(?)

Yes, that's done. At least a test one that goes to me. Easy enough to make it so it goes to her and include direction reminders for her get get logged on. The data access specifics, of course, will be conveyed to her more securely.

So looking at the bigger picture what remains is:
1. getting the table names stuff we're working on solved;
2. setting up secure and simple access for her to download these records;
3. making sure I have the forms sheets routing through the the 'secure' folder on the server.

That seem about right? If so it's seeming so much more do-able than a few days ago.

The owner approached me last night after a meeting to let me know she has more forms she wants to use the site for ;0). Hope the forms book gets published soon.

Scott

Hi Fredrik,

I can do this with the Column Titles list.

With the Data Field Names list I can highlight any, some, or all of the items but cannot edit or copy them.

If I delete an item from the column titles list will that cause a mismatch of number or title to names or both?

I am using FireFox 3.6.8 in XP pro.

Thanks,

Scott

Highlighted == selected..
You are not supposed to edit that box, just select (highlight) the table fields you'd like to include in the admin data view..
For each selected (highlighted) field, you also need a "Title" - which you enter into the column titles box.
If you enter more titles than you have selected (highlighted) in the "Field Names" box, you get the previously mentioned notices.

If you check the attached image, you'll see that I've selected three table columns from the many available, and also added three titles for them. When I then visit the Data View link in the admin end, I see a list of all records, with the contents of these three table columns...
[attachment=0]admin-data-view.JPG[/attachment]

/Fredrik

Thanks, Fredrik. I guess I need pictures sometimes.

Getting closer. I cleared out the table names then hightlighted I field (name) and entered that followed by a comma; Then same with a second (date).

Results in Show Data:
Name column - has dates of the various records entered
Date Column - is grayed out and column header has the same error message above the blue Date title:

Notice: Undefined offset: 1 in /sites/xxx/yyy/home/public_html/administrator/components/com_chronoconnectivity/admin.chronoconnectivity.html.php on line 658

I am beginning to get a feel for what ChronoConnectivity can do and appreciate that.

Scott

Hi Fredrik,

Trying to track the offset....

Here's code from body:

<hr>
<p>
<strong>(name)</strong><br>
{field_name} <!-- shows the current row data for this field --><br>
{new_record} <!--will show a create new record link for authorized users--><br>
{edit_record} <!--will show edit record link for authorized users--><br>
{delete_record}<!--will show a delete record link for authorized users--><br>
{introtext}
<hr>
<maintext>
<br><br>
</p>

Thanks,
Scott

Hi Scott,
No, you should not select one item, enter one title, select a new item (deselecting the previous one), enter a new title, etc... There is no events or other actions tied to (de)selecting items or entering text in the titles field..
What is selected, and what is entered at the time you hit the save/apply-button is what is finally used..

The Body section:
If you are talking about the "Body" input on the "General" tab, then this is not related in any way with the backend/admin data view, where you get the notices about offsets..
The Header, Body, and Footer input on the "General" tab are used for building a custom Frontend view. The same applies to all the other settings on this tab, except for the actual database table connected.
Further, the selected columns on the Admin Settings tab will have no effect whatsoever as to what is shown on the Frontend view. Here, you use the {name} placeholders to display the different values as you see fit...

/Fredrik

Thanks, Fredrik.

That was too easy.

So, the 'Show data' is for back end use. Thanks for clarifying that also. I had a sense that is how it worked but was fuzzy about it.

Help me understand a little more about this. Will I want to have the data administrator - the owner's assistant who has office but not database or website skills - access her data from the front end or back end? Seems like it could be either. Is it a security issue? That is why we're doing it this way in the first place.

How would she access this data securely and as simply as feasible? I want to avoid a steep learning curve as she seems chronically overworked and it looks like there may be lots of data coming her way both via this form and others in the works.

Best,

Scott

Hi Scott,
Both the admin and the frontend data views are equally safe as long as you use SSL. However, accessing the admin backend does require elevated privileges, and the frontend view does provide a finer control of which group(s) and user(s) should have access and/or create/edit/delete privileges.

This said, most people would probably go for the frontend version, as a non-admin really shouldn't be using the admin backend of Joomla. Also, it is trivial to add a menu link to the actual CC/data view in the frontend, making it integrate well into the site.

/Fredrik

Thanks, Fredrik.

You wrote, "Also, it is trivial to add a menu link to the actual CC/data view in the frontend, making it integrate well into the site."

Good. Will work with this and with setting up the front end so it makes sense to her.

Best,
Scott

Q - setting permissions in ChronoConnectivity (or using any of those windows where when you click in it the background turns yellow while your choice is blue):

How do you make more than one noncontigous choice?

Example: I want to change permission level Amy and Susie in the alphabetical list. Bob and Larry are listed between. I can't seem to select just the two. Do I Select Amy, click apply, then select Susie?

Also, is there somewhere to check permission levels for these components? I don't see that in user manager?

Thanks,
Scott

Hi Scott,

It's the usual Windows conventions (possibly Mac too). Shift+click to select a block, Control+click to add or remove individual selections.

Bob

Hi Scott,

Just adding that I agree completely with Fredrik. Keep application admins in the front-end as far as possible. It's much safer and easier to control.

By using a combination of menu items and redirection you can create a fairly simple and painless experience.

For example I use ChronoConnectivity to create a list with 'Edit' links visible only to the admin. The edit link opens a form and when the form is submitted the user is redirected back to the list again.

Bob

Thank you, Bob.

This is not the first time I've realized I need to use keyboard more than mouse.

Downloaded your book this morning (the billing email from Packt did not inform me it was ready for download - I went to my account there when I saw by your signature it was out. I was expecting an email with a download link).

At first glance looks like with it's help I'll be on top of these form issues: great detail, clearly presented. Thank you.

Looking forward to the ChronoConnectivity book. This Winter?

Best,
Scott

Hi Scott,

I apologise on behalf of Packt - though I have zero influence over their systems :-(

I'm probably going to do the ChronoConnectivity book - assuming Packt will let me - I think that there probably needs to be a small new release first though to make a couple of things work more easily. Maybe next winter.

Bob

In Connections Management When I click on the link to my referral sheet form I get, "You are not allowed to access this page!" on the site page that comes up.

"Show Data" and "Name" links work. I've setup permissions for myself individually and as administrator. I am logged in as Administrator with superadministrator privileges.

What am I missing?

Thanks,
Scott

Add: I click on "publish" and get a slightly different response:

Referral Sheet Record
You don't have suffecient [sic] view permissions to view this page
Powered By ChronoConnectivity - ChronoEngine.com

Scott

Hi scott,

Very hard to say without seeing the form/listing or at least the URLs.

My guess is that the first message is something to do with the URLs, the second is probably the ChronoConnectivity permission settings.

Bob

Bob, here's url of last message: http://4qw2.sl.pt
or, http://helprofessionals.com/index.php?option=com_chronoconnectivity&connectionname=ReferralSheet

Will snap some pics and add them in a bit.

Scott

First time screen shot upload so apologies if over-sized, etc. Feedback appreciated.

Also not sure what you're asking to see in a screen shot. I having seen the front end listing myself. That's what I was attempting when I ran in to the permission problem.

Scott

Hi Scott,
The "You don't have sufficient view permissions to view this page"-error means that you did not set things up properly on the Front End Settings-Tab. Or more to the point, you did not grant your usergroup or yourself permissions to view the Connection, or you did not logon to the front end to gain proper privileges (keep in mind, that though you might be logged onto the admin page, you might still not be logged onto the front end).

/Fredrik

Hi Fredrik,

I did grant the permissions per Front End Settings so it must be a problem with logging in to the front end which I haven't done - ever.

There is no log in showing. I know this is a Joomla issue but if it's a short answer, how do I do this or get around it?

Thanks,

Scott

Hi Scott,
Add the login module to one of the module positions (and enable), then use it to logon.

/Fredrik

Thank you, Fredrik. Logging in locally did it.

Got me further:


Why no records showing?



Scott

Hi Scott,
Most likely, you don't have any table columns in your DB table named either "name", "field_name", or "introtext".
That is, you have to replace "field_name" with the name of whatever table column (field from the form) you'd like to insert in the place of the placeholder.

/Fredrik

Thank you, Fredrik. That's correct. I just put in what was in the tutorial.

It's back to school next week and one of my classes is PHP/MySQL. That will have some real world meaning now.

Scott

Bob, Fredrik,

Update:

I think it's down to cosmetics. It all fits and makes sense looking in the rear view mirror.

Thank you both so very much for your patience in walking me through this.

Having said this, I'm sure I've jinxed myself. I still need to finish allocating the proper files to ssl so I don't get those warnings.

Best,

Scott

You're welcome Victoria. Of course the thanks goes to Bob & Fredrik.

I am likely to be asking more security related questions here as I finish this project over the next week.

Best,

Scott

Okay, much further along. Monstrous time getting redirected from Public to Secure folder on the webhost's shared linux server.
Ultimately used .htaccess file which was where I started before being guided away by tech support.

Thought I was finished & went live with links => secretary does not get email notice (did in test a week ago).
In Joomla admin when I click on chronooconnectivity link I get a 404.

I'm guessing it's looking for it somewhere in the public folders and can't get there.

If so, is it possible to somehow retrieve it (the folders are still intact)?

Or, do I need to reinstall and set up?

Thanks,

Scott

Hi Scott.

Please check and see if there is a $livesite or a path setting in the site config file that is still pointing to the old folders.

Bob

Good catch Bob. It was still "http" Added "s" and also changed log and temp paths to correct folder.

Saved, flush browser cache, and still get 404 component not found when I click on Connections Management.

Also, earlier today I had made some changes to site description in admin meta site descriptions.
Those were not changed in the config file in either the public or secure folders.

Gladly buy you a beer when this is done.

Scott

Hi Scott,

You are seeing 'component not found' . . . that is odd.

By all means email or PM me the site URL and a SuperAdmin login and I'll take a quick look.

Bob

Bob, some additional info that may help trace this problem...

While the link to the referral form was briefly live two forms were submitted.

When I look in the records for them, the latest forms there are dated 10/14. The secretary and I also each did tests yesterday which do not show.

Additionally, last week I deleted all those old test records (10/14 and prior) while preparing to go live.

It's as if the old, deleted records are back - or a copy that did not get deleted - and the new ones are going to a new location.

Scott

Some news, Bob:

Thinking through the logic in my previous post I looked through the settings in Form Manager.

The "File Update" Tab had a path entry which went to the public folder. Corrected that and submitted a form.
It shows correctly when I click on records.

Earlier records are still there and yesterdays posting not.
Still get 404 component not found.

Scott

More:

Email notification works but link does not go to the form but rather to the Forms Manager page.
She would have to click on the form on that page and be logged in to Joomla back end.

We are missing the Chrono Connectivity function.

Scott

Hi Scott,

I logged in and took a look and everything appears OK* apart from the ChronoConnectivity 404 error.
I'd suggest that you backup the database and then uninstall and reinstall ChronoConnectivity if you haven't already done this.

I can't think of any obvious reason why this component would behave differently from any other.

Bob

PS Your Joomla! installation is a bit old.

PPS You don't need the doctype info at the beginning of the Form HTML box - Joomla! provides that.

Thanks, Bob, for checking it out and for your suggestions. Will follow up.

Had delayed updating Joomla until this is finished. It has seemed just around the corner for a long time.

Scott

That seems to have done the trick, Bob.

I'm fried and late for class so will look more closely later. It retained all the ChronoConnectivity settings even though I uninstalled.
There were some uninstall errors - could find certain files to uninstall - not unexpected.

The database submissions that were made when link was live do not show. Those from before and after do.
If I were to go looking in phpMyAdmin where might I be most likely to find them?

Many thanks,

Scott

Security Q: Even though the site is in secure folder and padlock is showing and url is "https" I get a message from IE saying it's mixed and do I want to accept
only secure info (or something to that effect). Clicking on accepting only the secure stuff doesn't affect what's delivered.

What is this and what can I do about it?

Getting so I can answer my own questions: Ran Evaluator from FF. Links to update that had been manually entered.

Scott

Well, kind of answered my own question.

Cleaned up a lot of links. Only links that are not https are some outgoing to community partners and the link to you ("Powered By ChronoForms - ChronoEngine.com") at the bottom of the form.

I still receive the same warning in IE about mixed secure/insecure.

Running Xenu's Link Sleuth it also labels two of the outward links to community partners as "redirects". When I click on them they go to the intended locations.

Q's:
Do outward bound links result in the warning from IE?
If so, what can we do about this?

What are "redirects" in this context? How are they different from mere links? Is there anything sinister here?

Scott

Hi scott1137,

I don't know much about https but I'd be surprised if outward links caused the problem. I though the errors were limited to content on the page?

Bob

Bob,
did find this on a Webamster World post(http://www.webmasterworld.com/ecommerce/3088518-1-30.htm?highlight=warning%20mixed%20secure%20insecure%20ie#msg3088603:

Most of the users were scared to death of the ie warning thrown when calling an insecure file into a secure page. You know that popup dialog that you'll see when this occurs. Normally what has happened is there is a hard coded http request within the html. That won't work!

Was part of an interesting little experiment writer did with his site at work.

I'll look further at the html code and links.
Scott

Hi Scott,

Yes that makes sense but if I read it correctly it's content being loaded into the page (not an outward link). A single pixel beacon graphic with a non https link is enough to trigger that I think.

Bob

Makes sense, Bob.
I've posted about this at Webmaster World. Will keep you posted.
Scott

Hi Bob,

Seems to be coming down to making sure all links are in https.

To briefly review I've put the site into secure folder. All's working great except message I get only in IE8 when I visit any site page:

Do you want to view only web page content that was delivered securely?

This web page contains content that will not be delivered using a secure HTTPS connection which could compromise the security of the entire webpage.

Here's some of what the webhost tech wrote:

the error doesn't mean the SSL is invalid. It just means that SOME content on the page (a link or path to another include file) is outside of the "Secure" folder....
...Just make sure all paths are using the secure folder or the absolute url including https:// ....
...but external links shouldn't raise this warning...
...The problem is the content on the page is coming from an unsecure folder...
...It could be the javascript. The other links are https links so I don't see what else...
...Do some testing... remove some links or the javascript and see if that helps.

I've updated all http links to https (those that weren't taken care of by the site being in secure folder instead of public in shared linux server). I've also checked image links.

AFAIK, last to be done are the links to ChronoForms. How can I change those?

I'm not finding the file that contains the code. I'm especially concerned about the link that shows on the bottom of the form pages - but also any other that might be triggering the above warning. I'd like to test to see if this fixes it.

In looking chrono files I found a number of references to http versions of links but they were in comments.

I can't believe this is how folk secure their sites, link by link. I'd think outgoing links wouldn't matter.

Also, I worry about the problem being in javascript someplace - I no little of javascript.

All suggestions welcome.

Thanks.

Scott

Hi Scott,

As your webhost tech says external - i.e. outgoing links shouldn't cause this problem.

I'd look at the page with a decent web diagnostic like FireBug or the Chrome console to check the list of elements being loaded and see which has an http:// address.

As far as I recall the ChronoForms links pick up the current site URL and so should use https automatically.

Bob

Hi Bob,

Will do.

Was afraid I'd have to go through the code of each file. I'd started do look at that, 'finding next' http, but don't know enough about php and didn't want to monkey with that...

Thanks,

Scott

Hi Bob,

Got close to the bottom of this issue: It was RokZoom.

I found two pertinent entries on the IE8 problem:
http://bit.ly/GGdmp - HTTP Watch blog
http://bit.ly/eM1D5i - a MSDN blog

Followed those a while but nothing turned up in terms of http. Started looking at js. Turned the slider in Internet Options Security tab all the way up to 'high' and warning went away.

Then turned up some info on the Joomla and rocket boards and tried modifying the paths to images in css

(../images/image...

instead of

(images/image

to match those in Mootools. No luck.

Finally just disabled RokZoom in the template => joy. Can't see that there's any change in the site display. There are some lines in the top menu element that show but they aren't from this change.

Now to bring the forms live once again but without security warnings....

All the best,

Scott

Hi Bob,

IE8 picked up a couple of unclosed tags which I then found using Aptana. Hence the edit out of a long tag with lots of code...

Scott