Forms are a popular tool at NC State and there are several options available to help you include them on your site. Forms can be very complicated and there are a number of things to keep in mind when creating your form to make sure it’s well-organized, instructive, and collects the right information. It’s also important to be mindful that forms can also be exploited to generate SPAM and can therefore become a security concern in some cases.
SPAM refers to unwanted emails and, unfortunately, forms can often be exploited to generate SPAM. Any form that sends email can be used to SPAM you with a lot of repetitive, unwanted messages. A particularly bad form can be used without your consent to send SPAM to other users as well. For this reason, we recommend that you do not allow your forms to send email unless it is absolutely necessary. Additionally, please do not use university web servers to post to mailing lists or perform mass mailings. If you must generate emails of this type, contact your local IT support group to discuss approved third-party service providers.
To avoid sending email with forms:
- Don’t email confirmations, use the web page where the form is hosted to display receipt confirmation.
- Don’t email submissions, save response data to files or a database.
- Use Google Forms and Sheets to collect and correlate response data.
To avoid SPAM in forms that must send email:
- Employ CAPTCHA to verify actual users are accessing your form. Most form building tools have the option to enable CAPTCHA.
- Lock down your form. (see below)
Notifications & Confirmations
Once a form is submitted the user should be pointed to a page or content in the site that alerts them that they have been successful and informs them of next steps. There’s no need to send an email with this information. Avoid generating excess emails whenever possible.
Notifications can be useful in alerting you when new form submissions arrive. However in the case of a popular form, or when a form is abused by SPAM-ers, this may generate far too many messages to be of any practical use. If a particular form seems to be receiving far more submissions than expected, it may be an indication that the form is being exploited to generate SPAM.
Furthermore, if you do choose to enable notifications, make sure they go to multiple users or to a group account. This way if someone leaves the university, other staff will be aware of the form and getting the input.
Locking Down Your Form
On campus we often want to limit form access to users with NC State affiliation. This is helps reduce SPAM by ensuring only authorized users are accessing the form. Furthermore, the login process itself may collect relevant user information.
There are many ways to lock down your form and the process for doing so will depend on how you create your form and where it is hosted.
Building Long Forms
If possible, break long forms into multiple pages or sections to help organize the content. Use descriptive language to explain the intent for each section/page. When possible, allow users to save their form and come back to it. Alternatively, consider breaking the form into multiple, shorter forms.
Collecting Form Data
Collect your data in a format that will be practical for you to evaluate. Although the default for many forms is to email you the submissions, you should consider if that’s truly what you need. It may be much more efficient and (and secure) to export form results to a spreadsheet so you can easily compare and contrast response data. Many form tools will also let you export data based on submission date or other parameters.