sending data in a field thru submit button

[corics15]

hello guys,
ok, i have an application form in my website, actually not my personal website but for a client's website. the application form asks for his/her basic info like name, age, bday, phone number, etc and stuff like that, and at the latter part of the form, it asks for the bank accnt #, accnt name, and bank name.
first question: is there a risk of posting the bank details such as the ones mentioned above over the internet?
second question: assuming the borrower has filled up all the questions asked by the form, how do I save it as a file (or something) and send it to a person thru email using the submit button as the "send" button?
I know its relatively easy for you guys but can you help me out on this one? i'm just a newbie. any help regarding this matter would be very appreciated. thanks!

[RobRich]

You are talking about a huge security risk. At minimum, you need to implement SSL encryption, and the saved personal banking information needs to be funneled and dumped to a secondary data storage system not directly accessible from the Internet.

Does the desired system parse purchases, services, etc.? If so, you can look into one of the various shopping cart systems available for affordable prices or maybe even open source, or you can even use a large Internet firm like Yahoo! to handle the monetary aspects of the transactions.

[corics15]

no, its just an application form for loaning money. the reason why its there (bank details) is because the loaned money will be deposited to the borrower's account.

[HeadBand]

you don't even know that sensitive info needs to be encrypted...something every internet user should know and definatley a web designer...and you have CLIENTS???

I can see mabey a friend or something asking with some help on html....but why on earth would a financial institution hire somebody with so little knowledge

sorry but to me it sounds like you're up to no good

[corics15]

Quote:

Originally Posted by HeadBand

you don't even know that sensitive info needs to be encrypted...something every internet user should know and definatley a web designer...and you have CLIENTS???

I can see mabey a friend or something asking with some help on html....but why on earth would a financial institution hire somebody with so little knowledge

sorry but to me it sounds like you're up to no good

ok, that's why I'm seeking professional help, I may be a newbie but I think I may a lot better than you. FYI, i have designed a lot of web pages and i'm just a "newbie" in this "sense". im just asking a little help on this. you know it would be helpful if you would just give some helpful comments regarding this matter. I know that its a sensitive data that's why I asked it here, instead of you giving such "unhelpful" comments and not criticizing on my misbehalfs. i placed my question here because i know for a fact that someone out there can help me. this wasn't really helpful at all coming from you.

[Iturea]

Quote:

Originally Posted by corics15

first question: is there a risk of posting the bank details such as the ones mentioned above over the internet?
second question: assuming the borrower has filled up all the questions asked by the form, how do I save it as a file (or something) and send it to a person thru email using the submit button as the "send" button?
I know its relatively easy for you guys but can you help me out on this one? i'm just a newbie. any help regarding this matter would be very appreciated. thanks!

First Question: Answer = OF COURSE!

Second Question: Answer = You really need to lower your pride and tell your client that you cannot do this for them. I am sorry but you have no clue of what your getting yourself into. Do you really want to go to prison?

Finally: There are so many levels of understanding you will need know to make this type of thing a success. You need hardware, software, database, system security, and networking experience to even understand the security risks involved and how to protect the users who will use this type of system. You cannot learn these types of things overnight. You definitely cannot learn this from a forum. It could take years of study and experience to be ready to build this type of application.

If I were you I would start by learning how to program and how to work with web servers and Operating system servers. I would even take some programming and networking classes at a local University or technical college.

There are plenty of books out there written by professional people and organizations that you could buy or check out at your local library. There is php, asp.net, and many other technologies you could use and learn. You will need to start with the basics of programming. After you gain enough experience with the basics, then learn how to work with databases (using SQL) and database servers and how to send form data from a website to a database and what SSL is. Learn about SMTP and the security risks involved in sending e-mail across the Internet. Learn about database security and the many exploits out there that could potentially rape your application and servers such as SQL Injection and cross site scripting.

I cannot possibly list all the things you need to learn but you get the basic idea. I have built applications such as the one you want to build. And coming from over 10 years of web development experience and a degree in computer science and network administration, I can tell you that even with all of that I would never call this type of application an easy task.

[corics15]

ERRATA:
ok, there was a misunderstanding there. sorry i wrote the wrong words so we're not getting to the point. originally i posted this:
"first question: is there a risk of posting the bank details such as the ones mentioned above over the internet?"
this is wrong! i'm not really posting this details, there was a misconception and at the time i wrote it maybe i was so desperate and has done a lot of research about it but not found some results. the prospective borrower will fill up this details and send it via email form. of course this things have to be confidential. that's why i'm not getting the correct replies i need from you guys.

[RobRich]

The reply is the same. You need to implement SSL, then you need to dump the data to a secure system, not an email inbox.

If you accept the data without SSL, then the form is gathering plain text data, which can be easily intercepted. Research SSL.

With SSL implemented, you can proceed with the form page. The form needs to be tested against multiple attack vectors, as you are dealing with sensitive personal data.

Now the personal information must be relayed to the company. Email is a poor choice, even if you opt to implement encrypted messages. Detailed technical aspects aside, email scripts and servers are not a secure form of data transmission. You need to setup a secure method with authentication to funnel the data to the company. Once at the company, you need to determine how to store the data, such as using a secured database.

What sounds like a simple project is definitely not, even for a veteran web developer. You are wanting to implement a system that ideally requires detailed knowledge of CGI/PHP/ASP, SQL, and SSL. If you opt to proceed with an insecure system, be warned that financial data requires certain protections according to law. If you do not follow the guidelines, then expect to pay huge civil litigation settlements when a malicious hacker intercepts your plain text form data, not to mention you are going to create huge problems for the company with government regulators.

Simply put, I do not believe you have the knowledge to securely implement the required system, as it appears you are still wanting to implement a simple plain text form. Be truthful to yourself and your client. Turn down the job.

[Rootstonian]

Most (I hope) Internet users these days are savvy enough to know not to put this type of information into a web page...secure or not.