| Ted |
 |
NetHosted Customer
Joined: 21 Aug 2006
Posts: 13
|
 Posted: Mon Aug 21, 2006 6:07 pm Post subject: Hiding FormMail recipient address from spammers |
| |
The standard way of generating a web form with FormMail is to include the line:
<INPUT TYPE=hidden NAME=recipient VALUE=email@domain.com>
This has one major drawback in that you will be inviting spammers to harvest your email address as it is contained in the html page. The result will be that, almost before you have chance to say "Jack Robinson", you'll probably have in intray full of spam. For me, therefore, FormMail is unusable this way.
The official way of getting around this problem is to have a formmail.pl file in your cgi-sys directory where, amongst other things, your email address will be safe. Unfortunately nethosted don't give access to this directory, so you can't solve the problem that way.
Since I am not accomplished with java or similar clever stuff, I'm hoping someone out there can give me a solution. I'd like a simple way to generate a web-form-to-email page free from the hassle of being overrun by spammers. This without my having to learn complicated programming techniques. |
|
| Back to top |
|
| Mike T |
|
Community Liason
Joined: 26 Apr 2004
Posts: 453
Location: Loughborough
|
| Posted: Mon Aug 21, 2006 7:24 pm Post subject: |
| |
It's pretty easy to do in PHP...
html page
| Code: |
<form method="post" action="sendmail.php">
<textarea name="emailmessage"></textarea>
<input type="submit" />
</form>
|
sendmail.php
| Code: |
<?PHP
mail("YOUREMAILADDRESS", "SUBJECT LINE", $_POST["emailmessage"]);
echo "mail sent succesfully";
?>
|
where $_POST["emailmessage"]; has the NAME attribute of the form item that contains the message.
PHP is preprocessed so they can't see the e-mail address. |
|
| Back to top |
|
| Ted |
|
NetHosted Customer
Joined: 21 Aug 2006
Posts: 13
|
| Posted: Tue Aug 22, 2006 6:38 am Post subject: |
| |
Thanks Mike
I'm not at all proficient in php, never having used it before so bear with me if seem to I ask very elementary questions.
Does the snippet you call "html page" just go with the code for the form?
Where does the bit called "sendmail.php" go - is it in some particular folder and do I have to do anything to activate or install php in my account?
If appropriate, please point me to some tutorial on php for dummies. |
|
| Back to top |
|
| Mike T |
|
Community Liason
Joined: 26 Apr 2004
Posts: 453
Location: Loughborough
|
| Posted: Tue Aug 22, 2006 8:22 am Post subject: |
| |
Sendmail.php needs only go into the folder that the form's action attribute is pointing at, in my example it's not pointing at any folder so it ought to go in the same directory as the file with the form code in.
The snippet I've called "html page" is just the HTML for the e-mail message form, and can go on any HTML page.
I don't know of any tutorials on this specific subject, sadly.
PHP is automatically processed on your account on any file ending on .php (and .phtml I think though that's an old extension).
Mike |
|
| Back to top |
|
| Ted |
|
NetHosted Customer
Joined: 21 Aug 2006
Posts: 13
|
| Posted: Tue Aug 22, 2006 9:15 am Post subject: |
| |
| Mike T wrote: | | Sendmail.php needs only go into the folder that the form's action attribute is pointing at, in my example it's not pointing at any folder so it ought to go in the same directory as the file with the form code in. |
In what way is the php file protected from prying eyes, ie are spammers prevented from reading the contents and harvesting the email address? |
|
| Back to top |
|
| NetHosted - Andrew |
|
NetHosted Staff
Joined: 22 Mar 2004
Posts: 5684
|
| Posted: Tue Aug 22, 2006 9:15 am Post subject: |
| |
| Mike T wrote: |
PHP is automatically processed on your account on any file ending on .php (and .phtml I think though that's an old extension). |
.phtml is still available - but .php is much preferred!
Andrew
_________________
| Andrew Bassett
| Managing Director, NetHosted Ltd.
| Resellers, take a look at overselling  !
| Members, tell us what you think of NetHosted! |
|
| Back to top |
|
| Mike T |
|
Community Liason
Joined: 26 Apr 2004
Posts: 453
Location: Loughborough
|
| Posted: Tue Aug 22, 2006 9:17 am Post subject: |
| |
| Ted wrote: | | Mike T wrote: | | Sendmail.php needs only go into the folder that the form's action attribute is pointing at, in my example it's not pointing at any folder so it ought to go in the same directory as the file with the form code in. |
In what way is the php file protected from prying eyes, ie are spammers prevented from reading the contents and harvesting the email address? |
PHP is preprocessed, so all the PHP part is parsed and executed on the server. Nobody on the browser end of things can see any of the PHP code, which is where the e-mail address is. 
To clary, everything in <?PHP ?> tags won't be viewable by the end user (unless it's been deliberately told to do so with the echo(""); function)
Mike |
|
| Back to top |
|
| Ted |
|
NetHosted Customer
Joined: 21 Aug 2006
Posts: 13
|
| Posted: Tue Aug 22, 2006 7:40 pm Post subject: |
| |
Thanks again. So Far I got the basics working fine as you suggested.
I now need to link my form fields into the email so that they're all sent as part of the email. My form (which I prepared previously) looks like this:
<form method="post" action="sendmail.php" />
<input type="submit" />
<textarea name="emailmessage"></textarea>
<table cellpadding="0" cellspacing="0" border="0" bgcolor="#999999"><tr><td>
<table border="0" cellpadding="10" cellspacing="1" bgcolor="#999999"><tr bgcolor="cornsilk"><td>
<font face="Verdana,Arial,Helvetica" size="1"><b>What is your name?</b></font><br />
<input type="text" name="name" size="20" /><br />
<font face="Verdana,Arial,Helvetica" size="1"><b>E-mail address? (mandatory)</b></font><br />
<input type="text" name="replyemail" size="20"><br />
<font face="Verdana,Arial,Helvetica" size="1"><b>Comments</b></font><br />
<textarea name="comments" rows="10" cols="60" /></textarea><br>
<br /><div align="center">
<input type="submit" name="submit" value=" Send ">
<input type="reset" name="reset" value=" Clear ">
</div></td></tr></table></td></tr></table>
===========================
How do I get it to send my 3 forms fields: "name", "replyemail" and "comments" as part of the email being sent through the php? |
|
| Back to top |
|
| Mike T |
|
Community Liason
Joined: 26 Apr 2004
Posts: 453
Location: Loughborough
|
| Posted: Tue Aug 22, 2006 8:28 pm Post subject: |
| |
Modify the variables in this script to represent your own:
sendmail.php:
| Code: |
<?PHP
$RETURN_PAGE = "index.html";
/* set this as the page to return to after the email has been sent, it can be a relative or absolute path.. */
$EMAIL_ADDRESS = "youremail@site.com";
/* and set this as your e-mail address */
$SUBJECT_LINE = "comment from site";
/* set this as the subject line of the e-mail */
$EMAIL_MESSAGE = "
Name: {$_POST['name']}
E-mail Address: {$_POST['replyemail']}
Message:
{$_POST['emailmessage']}
Comments:
{$_POST['comments']}
";
mail($EMAIL_ADDRESS, $SUBJECT_LINE, $EMAIL_MESSAGE);
/* will send the e-mail! */
header("location: {$RETURN_PAGE}");
/* will return the user back to the page specified */
?>
|
I'm not sure if you want both the "message" and "comments" fields (since it would seem to be the same thing), but that's how it would work with that HTML page.
Mike |
|
| Back to top |
|
| Ted |
|
NetHosted Customer
Joined: 21 Aug 2006
Posts: 13
|
| Posted: Tue Aug 22, 2006 8:53 pm Post subject: |
| |
Thanks Mike, that's terrific! I think I can now go away and play with this.
Final question: the form mail comes from the default address
Nobody <nobody@uranus.solardns.com>
Is there any way of making the "from" address the "replyemail" field that the correspondent has given on the form? |
|
| Back to top |
|
| Mike T |
|
Community Liason
Joined: 26 Apr 2004
Posts: 453
Location: Loughborough
|
| Posted: Tue Aug 22, 2006 9:15 pm Post subject: |
| |
Sure thing!
Change the:
| Code: |
mail($EMAIL_ADDRESS, $SUBJECT_LINE, $EMAIL_MESSAGE);
/* will send the e-mail! */
|
to
| Code: |
$MAILHEADERS =
'From: ' . $_POST['replyemail'] . "\r\n" .
'Reply-To: ' . $_POST['replyemail'] . "\r\n" .
'X-Mailer: PHP/' . phpversion();
/* mail headers for mail information to be included */
mail($EMAIL_ADDRESS, $SUBJECT_LINE, $EMAIL_MESSAGE, $MAILHEADERS);
/* will send the e-mail! */
|
Mike |
|
| Back to top |
|
| Ted |
|
NetHosted Customer
Joined: 21 Aug 2006
Posts: 13
|
| Posted: Wed Aug 23, 2006 8:06 am Post subject: |
| |
I've got it all pretty much working now.
A few security considerations have occured to me:
- Is there some code I can include to post the originator's details such as IP address and other information about them?
- Is there anything I can do to discourage people from using their browser's "back" button to submit multiple forms?
- will my php code be able to be used by people submitting forms outside of my website? If so is there any way of my preventing such use?
- are there any other security issues I should think of addressing? |
|
| Back to top |
|
| Mike T |
|
Community Liason
Joined: 26 Apr 2004
Posts: 453
Location: Loughborough
|
| Posted: Wed Aug 23, 2006 9:16 am Post subject: |
| |
| Ted wrote: | I've got it all pretty much working now.
A few security considerations have occured to me:
- Is there some code I can include to post the originator's details such as IP address and other information about them?
- Is there anything I can do to discourage people from using their browser's "back" button to submit multiple forms?
- will my php code be able to be used by people submitting forms outside of my website? If so is there any way of my preventing such use?
- are there any other security issues I should think of addressing? |
For the IP address, simply put {$_SERVER['REMOTE_ADDR']} in the quoted $EMAIL_MESSAGE area, for example:
| Code: |
$EMAIL_MESSAGE = "
Name: {$_POST['name']}
E-mail Address: {$_POST['replyemail']}
IP Address: {$_SERVER['REMOTE_ADDR']}
Message:
{$_POST['emailmessage']}
Comments:
{$_POST['comments']}
";
|
To stop users pressing their back button to send it again, you'd have to keep a log of messages being sent or that a message has been sent with a cookie. Er.
Put this directly below the $EMAIL_MESSAGE = "....bla bl abla"; bit:
| Code: |
if ($HTTP_COOKIE_VARS['emailmessagelog'] === $_POST['emailmessage'])
{
header("location: {$RETURN_PAGE}");
exit();
/* this will send the user to the return page without sending the e-mail if they have already sent it */
}
setcookie('emailmessagelog', $_POST['emailmessage']);
|
Yes, people could potentially make a script that executes this form from outside the web-site, but the only way to stop that would be to check the referrer location, which can cause problems when people type the URL in their address bar in a nonstandard way (like by using the IP address or dropping off www.). It wouldn't stop someone who was really detirmined anyhow, since they can simply modify the referrer information the browser sends.
To stop automated bots using your form for spam you'd have to have an image verification thing, which is definitely no simple task. As it stands, I don't have any trouble with automated bots like that, but lots do (even this forum every so often gets some automated spam).
For other security considerations you might want to consider stripping any HTML put in the input box, but if you're using a modern e-mail reader that shouldn't be a problem anyway, since it'll stop malicious HTML affecting you.
Nothing really else I can think of right now!
Mike |
|
| Back to top |
|
| Garry |
|
NetHosted Customer
Joined: 03 Oct 2005
Posts: 263
Location: Lincoln, UK
|
| Posted: Wed Aug 23, 2006 1:31 pm Post subject: |
| |
Hi,
Is the below code correct ?
The cookie code part, if someone sent an email then wanted to send another one would that
allow it ?
Is there away to get the IP Address of the person ?
form.html
| Code: |
<form method="post" action="sendmail.php">
<input type="text" name="realname" size="30">
<input type="text" name="email" size="30">
<textarea rows="3" name="offer" cols="25"></textarea>
<p align="center"><input type="submit" value="Submit" name="submit" background="#FFFFFF"
style="background-color: #FFFFFF; border-style: solid; border-color: #00FFFF"></p>
</form>
|
sendmail.php Code:
| Code: |
<?PHP
$RETURN_PAGE = "sent.html";
/* set this as the page to return to after the email has been sent, it can be a relative or
absolute path.. */
$EMAIL_ADDRESS = "youremail@DOMAINNAME.com";
/* and set this as your e-mail address */
$SUBJECT_LINE = "SUBJECT HERE";
/* set this as the subject line of the e-mail */
$EMAIL_MESSAGE = "
Name: {$_POST['realname']}
E-mail Address: {$_POST['email']}
Offer: {$_POST['offer']}
";
$MAILHEADERS =
'From: ' . $_POST['email'] . "\r\n" .
'Reply-To: ' . $_POST['email'] . "\r\n" .
'X-Mailer: PHP/' . phpversion();
/* mail headers for mail information to be included */
mail($EMAIL_ADDRESS, $SUBJECT_LINE, $EMAIL_MESSAGE, $MAILHEADERS);
/* will send the e-mail! */
header("location: {$RETURN_PAGE}");
/* will return the user back to the page specified */
?>
|
_________________
Regards,
Garry
Happy NetHosted Customer |
|
| Back to top |
|
| Ted |
|
NetHosted Customer
Joined: 21 Aug 2006
Posts: 13
|
| Posted: Wed Aug 23, 2006 1:38 pm Post subject: |
| |
The next part of my project is to get some simple validation of input fields.
I don't want to get too ambitious at first: all I want to do for starters is to check that mandatory fields have some contents. What would be the easiest way of rejecting the post if one or more such fields have no data and returning the user to the form? |
|
| Back to top |
|
User Permissions |
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
| |
Client Support
