How can I put a small panel from my website onto someone else's website but still handle the submit?

On a classic ASP website I'm maintaining, on our landing page we have a small panel that our visitors use to enter their phone number as an identifier, then they proceed into the site. We now have an opportunity to place this login panel on some other websites, pretty much like an ad, the idea being that not only would clicking it get them to ou开发者_如何学Gor site, but we want to actually have them type in the phone number in THAT panel (i.e. on the external site), click the submit button, then do the redirect straight into the site, bypassing the landing page.

I don't know how many sites we're going to be doing this with, so I'd like to just have a snippet of code I can provide to the other webmasters, that they can drop in and have it work. It doesn't seem like it should be that hard, but as I think it through I don't have an easy-peasy idea in my head for it. Can I, for example, give them a <form></form> snippet and have its action set to post to my site instead of theirs? Is it that simple? Would this cause any security concerns? Or is there a standard or better way to accomplish this?

Yes, your form example would work. Just make the form POST to wherever your own landing page posts to.

The only thing to make sure of is to validate and sanitize any inputs your ASP page will receive. For example, if you use POST in your form, only check for POST variables in your ASP page. Make sure any arbitrary parameters passed to your page won't break or hijack anything. Although, if it's just a phone number, you probably don't have much to worry about.

I would make an iframe whos source is a page you create that has a phone box and a submit button. External sites could them put the iframe on their site, however when the user clicks submit your page would handle it.

If you wanted to redirect the user you could call parent.location.href='whatever' in js.

The <form action="http://yoursite.com/..."></form> approach will work fine.

In terms of whether this is good practice, i'm not sure... i think you might want to inform the user in your snippet who they are actually sending their phone number to.

On the whole, it is accepted that forms may post to other domains. See Client-side Cross-domain Security for other information.