Php form help please

software development

#1

HI,

i feel so stupid to ask this because it is such a easy and small issue. all i need to learn how to do is create a file in php that will accept info from a form and then email that info to whoever.
i need a simple working sample that i can upload to my dreamhost account. id rather not involve a database at this point, just somehting very simple to direct info to email.
any help would be so much appreciated,
thanx!


#2

There are a bundle of available e-mail form scripts at HotScripts, in this section:

Of course, finding the right one is the trick, but downloading any of the very simple ones will probably give you a pretty good idea of ways to do what you’re looking for. Check out the one on this page as a very simple script:

http://brawl-hall.com/pages/downloads.php

I was actually looking to do something similar, although in my case I wanted the web form to produce a specially formatted message for me, so I’m probably going to be writing one myself using one of these scripts as an example.

One important thing to keep in mind: If the script gets the “to” address from the form (even as a hidden variable), it’s a huge potential security hole for spammers to take advantage of, so it’s probably better going with a thoroughly secured existing script unless you really know what you’re doing.

I believe, however, that if you hardcode the “to” e-mail address in the php script there’s not much that can be done to exploit it. Someone who knows more than I do like to chime in on that? I’d really like to know so I’m not opening up DH and myself to nasty spam exploits.


#3

thank you!!!

i took the REALLY easy way out, lol!
but this is fine now i can chop it up and edit it as appropriate

thanx a bunch guys, you saved my day! w00T!


#4

You also have to scrub any user-provided input that appears in message headers for non-alphanumeric characters, especially linefeed and carriage return, to prevent someone from adding their own message headers. For example, if they submit the form with “spamBcc: victim, victim, victim” for the “subject” field, you just sent spam to three people who will only know that it came from you. I know this applies if you pipe the message to “/usr/sbin/sendmail -t”, so I use some pretty strict regexps for that. Not sure about SMTP, though.


#5

I got everything working fine except for one thing:
How do you change the From: field in a received email of the form results?

It is by default:
From: nobody@geronimo.dreamhost.com
So when they receive email it says its from 'nobody’
any thoughts?

thanx


#6

If you are using formmail.dreamhost.com, it’s the “email” field in the form, ie
</input type=“text” name=“email”/> or
</input type=“hidden” name=“email” value=“preset”/>

Though be careful, if you put an e-mail address in the form, a web page scraper might find it and start sending it spam. Try using HTML entities to thwart that, like E etc.