News FeedSalesforce form integration (web-to-lead) with PHP and cURL
Salesforce has an out of the box solution for generating leads from online forms called web-to-lead, this solution is very basic and in my opinion very insecure. A small amount of Redwood's forms require a submission of data to a database as well as sending the data to Salesforce, the basic web-to-lead forms can't handle this. The solution is to POST the data to a submission page, submit the data and then "POST" the data on to Salesforce.
After many hours research I found cURL (Client URL Library) to be the best solution for posting data on from a standard page. In order to use PHP's cURL functions you need to install the libcurl package.
In the example below I am only showing the basic process. I am leaving out the validation code for the fields and any submission code to MySQL database.
One security advantage of this process is hiding your organisation id within a variable in the submission page rather than on the live page with the form.
// SF Org Id. $oid = "0113543434646";
I first check if cURL is enabled before processing any further.
// Make sure cURL is enabled
if (!function_exists('curl_init')) {
error("Curl is not setup on this PHP server and is
required for this script");
}
I then loop through all the data input from the form. I first check there is data there (twice). Then I loop through each POST data using a foreach. Within the foreach loop I run stripslashes() function to stop the backslashes getting added twice. I don’t do any other form of validation as the data is going to Salesforce and I rely on them checking the data. At the end I add the organisation to the array.
if (isset($_POST)) {
if (count($_POST) == 0) exit("Error. No data was passed
to this script.");
// variable to hold cleaned up a version of $_POST data
$cleanPOST = array();
// Loop through the $_POST data and process it
foreach ($_POST as $key=>$value){
$cleanPOST[stripslashes($key)] = stripslashes($value);
}
// Add the Org ID
$cleanPOST["oid"] = $oid;
} else {
exit("Error. No data was passed to this script.");
}
Once the POST data is in an array we can send it to Salesforce. I have commented each step below. I add a return URL to the data sent which then redirects the user to that URL. You could do the redirect in the PHP file itself.
// Create a new cURL resource
$ch = curl_init();
if (curl_error($ch) != "") {
echo "Error: $error\n";
}
// Point to the Salesforce Web to Lead page
curl_setopt($ch, CURLOPT_URL,
"http://www.salesforce.com/servlet/servlet.WebToLead");
// Set the method to POST
curl_setopt($ch, CURLOPT_POST, 1);
// Pass POST data
curl_setopt(
$ch, CURLOPT_POSTFIELDS, http_build_query($cleanPOST));
curl_exec($ch); // Post to Salesforce
curl_close($ch); // close cURL resource
Published 20.08.08
Shaun
You mention that salesforce's web-to-lead forms are insecure. Can you explain what makes them insecure?