Dynamically and securely fill in data in connected field in public web form

The Scenario:

I have a database of persons in Knack, which besides their name and stuff also holds some other information that is important for us. Each person has an ID which auto increments when new persons are added.

I also have a Form, which I will ask the persons to fill out. We will host the form on our own website and each person will get a unique link. For example: www.mycompany/form/pid/2 for person with ID 2 and www.mycompany/form/pid/3 for person with ID 3 and so on.

I can then collect the person id in the backend (or via javascript, doesn't really matter) and auto fill the person ID in form field, so that the form gets linked (or connected in Knack speach) to the right person.

The problem:

First I find it strange that there is no "hidden" checkbox for fields in Knack and I have to set up a display rule that always returns true to hide that field. But that's not the real problem, just a hickup.

The real problem is, if I add the connected field to the form (person ID) to auto fill it, then, EVERY person ID will get added to the select input. This means, even though I hide the field, if somebody looks at the source code of the page, he could very easily see how many persons are in our database. I don't think that's a good thing.

My original approach was to just provide a dummy short next input field, which I then populate with the person Id from the url and later, with Knack's record rules, I just take that value and place it in the real connected person Id field.

This however does not work, as Knack tells me that there "no eligible field" in the form, when I want to do that.

I am stuck now with two possible solutions that I both don't like:

1. After pageload I iterate through the select html element and remove every option that has not the person Id from the url as its text.

2. I forward the person to another page after form submit, where, serverside, I connect to the Knack API, get the hash of the person ID and add it to the just submitted form.

I don't like these solutions because it adds complexity, which we want to avoid. We would love to keep the system fail safe. Meaning, even if we remove all the eyecandy and other neat things we do with javascript in the custom js section, the form should still work, if we remove it all.

I might have missed something, and I would be happy if anybody could put me in the right direction.

A side note: In the record rules, it would be great to be able to concatenate a custom value with a form value. For example to create a link to a new form where the url would always be the same but the patient id would be dynamical. I can think of a lot of use cases for such a feature. I will open a feature request for that.

Thank you all for your time.

Hi Markus.

not sure I got your point but if your problem is to keep your contact list secret to people who are not part of your organisation, then it is clear the connection field should not be on the page as it will always be part of the html structure.

You might have considered this option already but working with with logged-in users solves that kind of issue as you can :

1/create an contact and invite him to fill a form by connecting to your application (see post : http://helpdesk.knackhq.com/support/discussions/topics/5000070550) and once connected redirect them to fill the desired form.

2/ After it is just a matter of creating the record rule in the form so the contact is set as the logged-in contact.

That answers your point?