_______ __ _______
| | |.---.-..----.| |--..-----..----. | | |.-----..--.--.--..-----.
| || _ || __|| < | -__|| _| | || -__|| | | ||__ --|
|___|___||___._||____||__|__||_____||__| |__|____||_____||________||_____|
on Gopher (inofficial)
URI Visit Hacker News on the Web
COMMENT PAGE FOR:
URI Self-hosting forms, the sane way
pentagrama wrote 9 hours 54 min ago:
A fully self hosted solution that for me is good enough and more easy
is a WordPress site with the plugin WPforms (free version). No third
party services used.
Update: not sure if the WPforms free version supports file uploads as
the OP needs.
devmor wrote 16 hours 21 min ago:
Jesus, I can't believe I'm saying this in 2024 but just use a php
script and an sqlite file.
pembrook wrote 17 hours 10 min ago:
It seems like an extremely convoluted way to receive what will pretty
much exclusively be automated spam submissions since Iâm not seeing
any protection methods mentioned.
Attacks on any form on the open web have gotten absurdly bad in recent
years â hope the author is using something like Cloudflare + captcha.
jpm_sd wrote 17 hours 25 min ago:
Makes me miss the bad old days of Perl scripts and cgi-bin
directories... It was, at least, simple.
themgt wrote 17 hours 33 min ago:
On one of my sites, I needed to install a form with file upload
capability.
Soo ... the file upload is happening via JSON webhook? Seems like this
was defined as the scope and then file upload was just never mentioned
again.
lol768 wrote 17 hours 43 min ago:
How does validation work with the approach that the author advocates
for?
Is this something "n8n" does? I've gone to learn more about it, and it
describes itself as an "AI-native
workflow automation" tool. What the f** is that meant to actually mean?
bgdam wrote 18 hours 57 min ago:
> that was secure and wouldnât give me a headache, so number 3 was
off as well.
Is having a backend controller that securely writes to a DB when a url
is posted to that difficult in PHP, that this 'sane' way is preferred?
Isn't it the most basic of CRUD setups?
I can understand doing this because n8n has a quick way to send emails
(at least that's what I assume based on this article), but I really
don't understand how this over engineered solution is supposed to be
the sane way.
dartos wrote 18 hours 45 min ago:
Security in php is a headache.
Many crud apps which separate the frontend and backend have form
validation and sanitization on the frontend and backend (partly by
virtue of converting raw input into escaped json strings), but IIRC
isnât as straightforward in php.
theamk wrote 11 hours 48 min ago:
what are the possible security problems in this case (grab all form
data and stuff to database)?
The only one I can think of is SQL injection, but that's trivial to
fix with placeholders.
echoangle wrote 14 hours 27 min ago:
Im not sure whatâs so hard about doing it in PHP. Can I not just
get all the data from the GET/POST-Data-Assocarray, get the form
fields I want, and put them into a prepared statement to save them
to the DB? Whatâs the vulnerability here? Maybe add an CSRF Token
for extra security and I think youâre done, or am I missing
something?
omnimus wrote 51 min ago:
You are not. Its same security any other stack would do.
This âPHP security is terribleâ is mostly because people
remember stories from 20 year ago (when none of the cool stacks
didnt even exist) and things like Worpdress the most targeted
cms/framework in the world.
I have suspicion that if Vercel/next powered 60% of web than its
security reputation wouldnt be great either.
PHP is flawed but so are all the other stacks. PHP is old but
that doesnt mean its not being updated or up to date. If anything
its boring.
kugelblitz wrote 18 hours 25 min ago:
Security in vanilla php using old tools is a headache.
I use Symfony and using the form component ( [1] ) you can achieve
much of what is needed.
If you use the framework as well (which is very modular nowadays)
you also have security built-in ( [2] ).
But probably not as fast as a "quick and loose" approach if you
don't know Symfony yet, but extendible and secure (if you do know
Symfony, it might be faster than the vanilla php approach, because
you can avoid much of the "generic" code, the validators, the error
handling, avoid SQL and XSS injection).
URI [1]: https://symfony.com/doc/current/components/form.html
URI [2]: https://symfony.com/doc/current/forms.html
pbowyer wrote 18 hours 28 min ago:
> Security in php is a headache.
It really isn't.
progx wrote 19 hours 32 min ago:
Or just use PHP and done.
cloudking wrote 18 hours 21 min ago:
+1 not sure how OP proposal for a hobby website form is "sane". You
can solve this with a simple PHP script
CPLX wrote 19 hours 35 min ago:
For those that actually want a SaaS type tool for this and donât want
to use Jotform, which is utterly horrible, I recommend Fillout, which
has been a joy to use and is seamlessly integrated with a bunch of
services like AirTable and Dropbox and so on.
Even if you do want to eventually build your own itâs ridiculously
fast as a prototyping tool, can pre-fetch data and use conditional
logic and accept URL parameters and all that out of the box.
Doohickey-d wrote 20 hours 16 min ago:
If you want your forms submissions in a spreadsheet, it's also possible
using only Google Apps Script:
URI [1]: https://github.com/levinunnink/html-form-to-google-sheet
vidyesh wrote 20 hours 22 min ago:
Much simpler solutions exist like [1] And for others who use the static
hosts' free tiers for hobby projects, Cloudflare provides form
submissions to your static pages, netliffy forms is quite generous too
URI [1]: https://formsubmit.co/
URI [2]: https://www.netlify.com/platform/core/forms/
irq-1 wrote 16 hours 4 min ago:
Netlify forms looks like it could be great, but the pricing is awful:
100 per site /month ($19+ when exceeded)
Cloudflare form plugin sets up a worker/handler, which is cheap and
easy. It does require coding though, unlike the formsubmit.co link.
URI [1]: https://developers.cloudflare.com/pages/functions/plugins/st...
vidyesh wrote 7 hours 56 min ago:
That static form plugin sends submissions to Cloudflare KV Storage,
I only recently started experimenting with Cloudflare offerings so
haven't tried KV yet but does it get populated in the Cloudflare
dashboard? If not, then that would be another thing to build.
And about Netlify. If you are getting more than 100
submissions/month on your hobby project, I think it might be time
to consider some better serious solutions ;)
cchance wrote 20 hours 18 min ago:
Except.. as the first half of the page says heâs trying to avoid
relying on third party services and to self host it
vidyesh wrote 20 hours 3 min ago:
Yes, they too mention that service but for work purposes. I just
find it odd that this is now considered a sane way for hobby
projects.
I would rather have something like this for a client who wants
complete control of their data.
47282847 wrote 21 hours 37 min ago:
I use [1] (php) but I wish there were more self-hosted options.
URI [1]: https://www.formtools.org
V__ wrote 21 hours 24 min ago:
There are quite a few, at the top of my head: getinput.co,
quillforms.com, heyform.net snoopforms.com
jauntywundrkind wrote 21 hours 55 min ago:
I'll dare to say I like it!
N8n seems to have a pretty fine gui for configuring little pipelines,
sort of alike node-red. If the author wanted to embellish & enhance
what they have there's a variety of other connectors & processors they
could easily snap into place. It's easy to glance at a pipeline and see
what the general shape is. This high level world feels much more
normative & clear than scratching together "simple" php scripts.
Ditto for sending data into nocodb. An Airtable spreadsheet/database
like system, with a good gui, with form submissions being fed into a
spreadsheet: it's again nicely high level. It integrates with other
documents or reports, if you want. It's easy to access from the web.
It's a very slick very user friendly solution that still brings a ton
of power. Another huge win for a high level system.
I too had an initial WTF reaction, are you serious reaction. But it
wasn't that hard to find some empathy when I tried. I didn't have to
work that hard to appreciate what the post is going for, to envision
what the actual usage/configuration looked like, and to see there is a
pretty neat high level set of guis here that are used to program a very
flexible small little pipeline. And I can see how each piece is
extremely malleable by end users. That freedom to rework & reshape this
system freely is really neat.
There may be good tailor made solutions that we can agree to dub as
"simpler" for form handling, but the composability & flexibility of
this end-user driven solution is super neat & super compelling to me.
These tools are extremely generic & could be used for all manners of
tasks, and that is enormously compelling, to good general systems that
we can use to tackle all manners of tasks. This is a cool pick of tools
to bring together.
cchance wrote 20 hours 12 min ago:
THIS!
And the authors thoughts about why are well spelt out. Not to mention
that this seems infinitely more flexible than what some other people
are recommending.
Like theirs an entire thread of people somehow acting like dumping
forms to a mailto: handler that the client then has to send via a
hopefully configured mail client is somehow a realistic and reliable
option
thehias wrote 22 hours 18 min ago:
This is supposed to be the sane way? Certainly not!
You guys know that you can use "mailto:" as form action, yes?
No backend stuff needed.
CM30 wrote 16 hours 33 min ago:
Sadly the best way to use this stopped working years ago. I vaguely
recall in some browsers (maybe IE6 or earlier?) it actually send the
submission to email directly without opening the user's email program
at all.
Having to send an email with the fields prepopulated feels rather
archaic by comparison, and leaves me using form scripts as a rule
now.
theamk wrote 11 hours 58 min ago:
automatically expose my email to any random marketer with a single
button click? I can't imagine why anyone ever thought this would be
a good idea.
leobg wrote 17 hours 58 min ago:
I would guess that mailto will be great for deliverability. Since the
user has already emailed you before your emails are more likely to go
through to them and not get filtered as spam or promotion.
Anyone have any data / observations on this?
oliwarner wrote 18 hours 57 min ago:
If you do this, recognise that you'll have a lot of desktop users
fail out because they don't have an email client set up properly.
And even when email sends, it's hard to guarantee delivery. I'd
sooner set up and host an API than trust email to work in a business
setting.
closewith wrote 19 hours 6 min ago:
I have a few qualms with this app:
1. For a Linux user, you can already build such a system yourself
quite trivially by getting an FTP account, mounting it locally with
curlftpfs, and then using SVN or CVS on the mounted filesystem. From
Windows or Mac, this FTP account could be accessed through built-in
software.
2. It doesn't actually replace a USB drive. Most people I know e-mail
files to themselves or host them somewhere online to be able to
perform presentations, but they still carry a USB drive in case there
are connectivity problems. This does not solve the connectivity
issue.
3. It does not seem very "viral" or income-generating. I know this is
premature at this point, but without charging users for the service,
is it reasonable to expect to make money off of this?
kaashif wrote 17 hours 7 min ago:
Classic comment and perfectly captures the vibe.
I don't understand why people don't understand why making users do
this weird shit (and yes, mailto: is weird although not as weird as
SVN/CVS vs Dropbox) isn't going to work.
mcny wrote 15 hours 49 min ago:
For today's lucky ten thousand, the grandparent comment is about
dropbox
URI [1]: https://news.ycombinator.com/item?id=9224
teleclimber wrote 15 hours 13 min ago:
And the "lucky ten thousand" is a reference to
URI [1]: https://xkcd.com/1053/
crazygringo wrote 19 hours 26 min ago:
If I hit "submit" on a form and I saw it start to open a new Gmail
tab in my browser, I'm going to close the new Gmail tab before it
even has time to finish loading. (Or same if I saw it opening
Mail.app.)
I'd just assume the site was trying to trigger some kind of spam
e-mail or something.
The idea that I'd fill out a form on a site, then submitting it would
open my mail program, and I'd then have to hit send there, and then
close my mail tab/window (not to mention exposing my e-mail address
to the site when maybe I wouldn't want to), is some of the worst UX
I've ever heard of.
philsnow wrote 13 hours 49 min ago:
I have a Pavlovian annoyance response to noticing that I have
inadvertently clicked a mailto link, because back in ~2005 firefox
would try to start Evolution. I usually only noticed the click
because of the sound of my spinning disk thrashing to try to lift
into memory hundreds of MB of dependencies from their rust platter
slumber. Evolution generally didn't even load enough to so much as
show its splash screen before I found a terminal and killed the
process tree.
all2 wrote 18 hours 20 min ago:
Craigslist does this exact thing. They give you a custom email
address to email, and then you click their link and it pops open
gmail.
theamk wrote 11 hours 56 min ago:
except it's actually labeled "gmail", so it is totally expected.
Unlike the random form on unknown website.
voytec wrote 20 hours 9 min ago:
> You guys know that you can use "mailto:" as form action, yes?
Author mentions "a form with file upload capability".
prepend wrote 21 hours 41 min ago:
Aside from having to have something to parse out the submission as
the response isnât that human readable, I think the biggest problem
is that users need a mail client and requires them to hit send. This
disorients people so even if they have a mail client, you end up with
people not hitting submit.
cchance wrote 20 hours 17 min ago:
Thereâs also the bigger issue your directly exposing an email
address to web scrapers like itâs not the 90s using mailto forms
is a shocking take as acceptable
arccy wrote 16 hours 35 min ago:
exposing mail addresses on the web is fine as long as you have
semi-decent spam filters.
obsfucating addreses won't work much longer anyway
URI [1]: https://news.ycombinator.com/item?id=38150096
prepend wrote 17 hours 56 min ago:
This isnât really a concern for me. Iâve had my gmail exposed
to web scrapers for decades without making me regret it.
For this purpose though itâs a non-issue as I also have a
contact email published on my site so people can email me. And I
would create a separate mailbox just for the form.
Iâm not sure why people are concerned about their email being
scraped as itâs comical that any email address isnât already
on a million spam lists.
01HNNWZ0MV43FF wrote 20 hours 52 min ago:
I think you can register GMail and Outlook as mailto: handlers, but
I've certainly never tried it.
arnorhs wrote 12 hours 1 min ago:
You can. It is actually relatively hard to do though unless you
are extremely motivated.
Where you have to find a setting in mac / windows as well as
configure your browser (chrome) for it, by using an obscure icon
in the address bar etc.. and then you can have some apps fighting
for you to change the setting. And then it depends on which
browser profile is currently active. It is pretty messy to say
the least
prepend wrote 18 hours 2 min ago:
You can, but many people do not do this.
Joker_vD wrote 21 hours 44 min ago:
I believe the last time I've sent an e-mail was in July 2017, when I
was finishing my Master degree thesis, and I was glad I'd probably
never have to do it again. Please don't ruin my dream?
gofreddygo wrote 20 hours 43 min ago:
that email from 2017 will still be in that sent folder, waiting for
you, readable and accessible on all possible platforms and form
factors, when all the latest owners of the slacks, teams, whatsapps
and telegrams of the world ratshit onto their users into oblivion.
Ask the ex-twitterati.
aprilnya wrote 21 hours 7 min ago:
What.
Joker_vD wrote 19 hours 58 min ago:
Well, Spivak in the sibling reply summarized the reasons
perfectly.
rglullis wrote 21 hours 11 min ago:
Genuinely curious: what is so bad about writing an email? Do you
really prefer/expect that every interaction with someone online is
better to be had via an app or automated form?
Spivak wrote 20 hours 33 min ago:
Easily yes. Especially when you interact with companies the email
is just a shitty gateway to their actual CRM/Ticketing Software.
Ignoring the general shittyness of email itself being plaintext
or bastardized html that's destroyed the moment someone replies
-- Different reply and quoting styles, emails |||||||| of every
previous email in the thread. A haphazard mix of fonts, font
sizes depending on the client, obnoxious signatures on every
message. No one understands threads where threads in chat are
immediately groked.
Ignoring all that. Unsolicited communication mediums can go die
in the hell from whence they came. All communication that allows
someone to message me without asking, where new identities can be
minted like candy so they're impossible to block permanently.
Awful. My inbox is just for password resets and spam now. Same
with SMS, it's the messaging of last resort.
Being able to close your DMs to just actual humans you want to
talk to is goated. Email, SMS, and my mailbox are just junk
drawers ever since the marketing people got ahold of them.
rglullis wrote 19 hours 33 min ago:
While a good rant is always appreciated, I don't see how
forcing people to install an app or having an online form
(which will very probably ask for your email anyway) is any
better. And to avoid abuse, email masking services work quite
well.
It's just funny that with Communick I have a whole Discourse
site setup because I was anticipating people weary of giving
out email addresses, but in the end the majority of my
customers just prefer to solve issues by email.
One could dream of a world where XMPP is relevant and that most
clients support its HTML submission capabilities, but this is
also not the timeline we're in.
homarp wrote 21 hours 51 min ago:
but mailto is done on the client side. I am not sure everyone has a
local mailto handler these days.
kevincox wrote 14 hours 13 min ago:
It is surprisingly rare. I remember working at Google even on
documents targeted towards engineers many people were confused by a
mailto.
ekianjo wrote 21 hours 52 min ago:
but that means exposing an email address in the page source code
prepend wrote 21 hours 5 min ago:
I donât consider that a risk as running a web site likely already
has some contact email.
I can set up infinite emails on my $30/year cpanel host so I just
create a new mailbox for the form and forward it wherever I like.
atoav wrote 21 hours 42 min ago:
Which you are legally required to do anyways in some parts of the
world.
cchance wrote 20 hours 15 min ago:
Thereâs a difference between a random contact adddress and one
that your using for data processing and lead handling
ekianjo wrote 21 hours 31 min ago:
interesting! where is this required?
RicoElectrico wrote 21 hours 28 min ago:
Germany probably? Impressum aka imprint.
canadianfella wrote 20 hours 51 min ago:
> Impressum aka imprint.
What does that mean?
codetrotter wrote 20 hours 41 min ago:
> An Impressum is a statement of ownership and authorship
for online and print media. An Impressum helps combat spam
and disinformation by holding creators responsible for
their content. An Impressum is legally required for
commercial sites operating in Germany, Austria, and
Switzerland.
URI [1]: https://termly.io/resources/articles/impressum/
pspeter3 wrote 22 hours 5 min ago:
I had no idea that you could use the mailto: URL for a form action.
arnorhs wrote 11 hours 53 min ago:
this was something that was more commonly used in the late
90s/early/2000s, an early internet feature, but still works to this
day.
there are some niceties that have been added or maybe they were
always possible - you can add a subject and message body, possibly
cc etc.
i used it just last year to make an easy contact form for
contacting local municipalities from a single website for my wife's
NP
thih9 wrote 21 hours 57 min ago:
Same. How would that work? What would be the end result (email
body)?
ReleaseCandidat wrote 20 hours 6 min ago:
You see that in the "email" forms of for example most "contact"
sites.
Like, for example, here on HN, in the right end of the site's
footer (on desktop), by clicking "Contact" (but this isn't a
form, just a "mailto:..." link).
bdcravens wrote 21 hours 40 min ago:
It passes all form fields in URL encoded format in the body
(example, name=Billy+Cravens&state=TX)
codetrotter wrote 20 hours 38 min ago:
Sounds like a really bad UX
I think if my mom was trying to submit a form, and it opened
her email client with a body consisting of URL encoded data
sheâd probably just close the email client thinking that
something went wrong. Then sheâd try again and the same thing
would happen again. Then she might call me, and Iâd probably
tell her to just forget about it and try to call them on the
phone instead or give up and try another company instead.
vaylian wrote 19 hours 32 min ago:
> with a body consisting of URL encoded data
The e-mail client decodes the URL encoded data. So you
actually see plain text. The encoding is only done for the
purpose of passing the data from the browser to the e-mail
client.
codetrotter wrote 17 hours 57 min ago:
I created a form with a dropdown and a some other inputs.
The result when using
enctype=application/x-www-form-urlencoded and method=post
in the form html is that the body that is shown in my email
client is URL encoded.
They have a different enc type that you could use to
specifically make it plain text. That one is not
recommended because then you're gonna have a bad time
parsing out the fields that were submitted from the form.
codetrotter wrote 17 hours 50 min ago:
And for reference, here is what the mail body looks like
with enctype=text/plain and method=post when it is opened
in iCloud mail ready to send
cat=services
btext=adsfasdfsdafsdf afsdfas asd fa sdf as dfs
subscribe-newsletter-weekly-yes=yes
Other email clients might create different looking body
for text/plain enc type.
codetrotter wrote 17 hours 41 min ago:
One variant that seemed interesting was method=get with
enctype=application/x-www-form-urlencoded
In this case the values from the form get added as
headers in the email so they are not directly visible
to the user
I thought that I could still add user-visible subject
and body by adding ?subject=foo&body=bar to the mailto:
url
For example I could then have the subject say "Web form
submission", and have the body of the mail contain a
description that tells the user to send the email and
that the data they filled into the form will be sent
along with the email.
Even that is not great UX imo, but could still be
interesting.
However from my testing with Brave web browser and
Apple Mail, the subject and body are not filled in for
the user in this case.
GrantMoyer wrote 21 hours 5 min ago:
Looks like it can also be plaintext encoded[1], so something
like:
name=Billy%20Cravens
state=TX
[1]
URI [1]: https://html.spec.whatwg.org/multipage/form-control-in...
throwup238 wrote 21 hours 49 min ago:
Email body is in the âbodyâ form field, subject line in
âsubjectâ, destination in âemailâ.
URI [1]: https://www.w3docs.com/snippets/html/how-to-create-mailt...
bdcravens wrote 21 hours 36 min ago:
Those parameters need to be passed in the mailto: URL, not the
form, if the FORM is a POST
mailto:example@gmail.com?subject=About+your+extended+warranty
dearroy wrote 22 hours 18 min ago:
I understand your concern, but what about an open-source form builder
that gives you control over whatâs on your site?
URI [1]: https://news.ycombinator.com/item?id=39895960
ulrischa wrote 22 hours 37 min ago:
This is so overengineered. Just a simple web hosting and php script
will do it
ocdtrekkie wrote 22 hours 28 min ago:
I write PHP forms for fun but there's a very valid point the default
of this is extremely manual for every form you want to build. I
really like the idea of at minimum using a database that creates
tables and columns as needed for a form sent at it.
At the office we have less proficient users who want to make web
forms, but self-hosting the data is important to us.
cess11 wrote 20 hours 37 min ago:
Why? If you need more than five forms, invent a small DSL that
consumes something like a five column CSV (form element type,
label, id, something, something) and craps out some PHP and SQL for
you. Maybe make the layout boilerplate configurable through a bit
of simple templating.
ecoqba wrote 20 hours 47 min ago:
Yeah, but nowadays with GPT new forms can be generated fairly
quickly.
bdcravens wrote 21 hours 56 min ago:
Everything you're describing could still be done in PHP (or another
language)
megadal wrote 22 hours 14 min ago:
Yeah but this is using 3 different backend services just to
automate self hosted forms.
Pretty sure you can do this without 3 different services.
cchance wrote 20 hours 8 min ago:
I mean one a db.. youâd want that regardless and the others the
processor.. and ones the form⦠youâd need those 3 in some
variety anyway and technically you could drop the db if you just
want it dumped to email id imagine
This is literally a blog recommending to use n8n as your
processor⦠thatâs basically it lol heâs just adding ways
that can be extended too like noco and metrics
megadal wrote 19 hours 28 min ago:
Maybe the article should be titled "Self-hosting forms, the n8n
way" then, because if I was working with a dev who did this I
would definitely question their sanity.
But as an article about a cool way to utilize n8n, this is
fair, and perhaps even elegant.
CoolCold wrote 18 hours 24 min ago:
The author clearly states he is not dev/sysadmin and just
playing around for hobby - I think it's totally fine.
ocdtrekkie wrote 21 hours 28 min ago:
That's entirely fair. I don't think I'd end up using the same
setup as the author, but it definitely planted some ideas.
Takennickname wrote 22 hours 37 min ago:
Is there really no good open source form backend? That doesn't sound
right.
rroose wrote 3 hours 24 min ago:
You could use Drupal and the very versatile Webform module:
URI [1]: https://www.drupal.org/project/webform
beanclap wrote 21 hours 59 min ago:
Formbricks can do what Formspree does but open source see here:
URI [1]: https://formbricks.com/vs-formspree
DIR <- back to front page