Hey Folks,

Following Paul's advice, I read a couple of tutorials on email forms, Cota's, CyanBlue's, and Jesse's, sorry Paul your's was in Flash 8 and I'm still on MX so I couldn't open it. Anyway, both Cota and Jesse make "strong" mention not to leave the "To" field of the email empty allowing for possible fraud, etc.

That said, how then would one create a form (a tutorial or an explanation as to how it could be done) that would allow the user to "Tell a Friend" about the wonderful site they just visited without the risk of compromising oneself?

Any help or advice would be appreciated.



Peace
Jose Antonio

There in is the issue. You really cant, without opening yourself up to fraud. I think in your case, you'll have to take that risk. I would suggest loggin the IP's of the sender, incase any legal issues to arise.

this has a real possibility of turning your server into a spam bot... make sure you put in lots of server side code to check that the body of the message hasnt been modified before being sent, and maybe try to limit it to a single email address in the to field, as well as possibly limiting the number of emails sent by a particular ip address within a specified period of time.

Cota, TG,

Thanks for the reply.

Could this be done?

Let’s say I have a "Contact Me" form and I add a "Tell a Friend" field (where the friends email would go, and maybe even a field for the friends name) then, once the form is submitted, have a server side script that reads that or those fields as "active" and then sends an automatic email to the friend inviting them to check out the site.

Is this a doable or not? Did I just see a light-bulb go on some where?

Of course the email would come directly from my site, I guess I could have the sender’s info in the subject field; i.e. dear so and so your friend so and so wants you to check this site out, or whatever...


Peace
Jose Antonio

Yea it can be done. As tg suggested, make sure the body isnt altered in any way.

yes. totally doable.
i have NEVER done this. there is ALOT of stuff to check for. do some research.
in your tests on the server...

make sure it is only 1 email address,
make sure they have not embedded any javascript functions in the 'to' field (this could be a potentially hassardous hack)
make sure none of your predefined values are not changed (from, cc, bcc, body sig)
dont leave any email properties (listed above) undefined
makes sure there is no way for them to send an attachment. (no idea if it can be, but worth double checking).

im sure there are many many more... i always assume the hackers are more creative and determined then i am... so i have never implemented anythign like this.

you might look around on some of the web admin forums and look thru their security info... they will know more then i for sure.

basically, restrict characters, only allowing letters and, "@" and "." Nothing else. Hard code the other values in the PHP script. This will pretect from most, if not all, injection attacks.