Need a good formmail script

404 username not found · #1 (**permalink**) 21-03-2007, 11:32 PM

Hey guys,
As the subject implies, I'm looking for a decent script (php/perl) that'll mail form data.
I'm looking for something that's generally regarded as being secure/safe against abuse, and something that's adaptable and customisable without a lot of crap.
I don't want to be stuck with error/received pages that have the script-writers life story on them... or have to configure the script with lots of lame "hidden" form fields.
I'm not happy with the ones I've used, and am sorely tempted to write my own.

Any recommendations (even if they don't fit the above criteria)?
Basically I'm wondering what everyone else is using.

louie · #2 (**permalink**) 22-03-2007, 12:45 AM

I write my own, this way I know what's going on.
If you want to go that way, just post what you have and lets see if we can get it working properly without errors.

ziycon · #3 (**permalink**) 22-03-2007, 05:17 AM

I use a script that i wrote myself, it an easy to use one that basicly you just change or add your fields and then change the email address! your caal if you want it!

404 username not found · #4 (**permalink**) 22-03-2007, 02:26 PM

Ah good, so it's not just me then

I suppose it's a simple enough matter to put the functionality in place, but I'm extremely paranoid about writing exploitable code.
The last thing you want is to get your domain spam-listed because you overlooked something.
I think the good thing about using well known and widely used scripts is that they've already had months/years to get hammered on... but then a custom script can have everything hard-coded and has the benefit of obscurity.

@ziycon:
Thanks, I'd be interested in having a look at it.
I've already got a referer whitelist function written along with a few different input validation funtions, but I'd be interested in seeing how you're implementing mail() since I haven't used it before.

paul · #5 (**permalink**) 22-03-2007, 02:35 PM

I can send you the one I use here
Contact us : EirJobs.com : Irish Jobs Resourcer

I'm not sure where I got it from but it does us a CAPCHTA, which stops silly bots submitting things. Sadly it didn't stop a silly person a submitting their CV to me.
Here is the mail function

PHP Code:

  <?php
if(!$visitormail == "" && (!strstr($visitormail,"@") || !strstr($visitormail,".")))
{
echo "<h3>Use Back - Enter valid e-mail</h3>\n";
$badinput = "<h3>Feedback was NOT submitted</h3>\n";
echo $badinput;
}
if(empty($visitor) || empty($visitormail) || empty($notes )) {
echo "<h3>Use Back - fill in all fields</h3>\n";
}

$todayis = date("l, F j, Y, g:i a") ;

$attn = $attn ;
$subject = $attn;

$notes = stripcslashes($notes);

$message = " $todayis [EST] \n
Attention: $attn \n
Message: $notes \n
From: $visitor ($visitormail)\n
Additional Info : IP = $ip \n
Browser Info: $httpagent \n
Referral : $httpref \n
";

$from = "From: $visitormail\r\n";


mail("MYADDRESS@GMAI.COM", $subject, $message, $from);

?>

I would be interested to see some examples of people who have more rigorous check against people abusing the form.

ziycon · #6 (**permalink**) 22-03-2007, 11:02 PM

PHP Code:

  if($fname)
{
      $fname = "Name: $fname";
      $msg .= "$fname\n";
}
else
{
      $error = "- Name Missing.<br>\n";
}
if($email)
{
      $email = "E-Mail: $email";
      $msg .= "$email\n";
}
else
{
      $error .= "- E-Mail Missing.<br>\n";
}
if($subject)
{
      $subject = "Subject: $subject";
      $msg .= "$subject\n";
}
else
{
      $error .= "- Subject Missing.<br>\n";
}
if($message)
{
      $message = "Message: $message";
      $msg .= "$message\n";
}
else
{
      $error .= "- Message Missing.<br>\n";
}
if($error == "")
{
      echo'Thank you for contacting Us.';
      mail("info@site.com", "$subject", $msg, "From: $email");
      mail($email, "Confirmation", "Your message has been sent.\n\nThank you for contacting us.\ninfo@site.com", "From: noreply@site.com");
}
else
{
      print "Please fill in the missing fields - <br>\n";
      print "$error<br>\n";
      print "<br>\n";
      print "<br>\n";
      print "Please use your \"Back\" button to return to the form to correct the omissions.<br>\n";
}

louie · #7 (**permalink**) 22-03-2007, 11:09 PM

there is something I use with Ajax as well to check a form

PHP Code:

  $err_msg = "";
//name
if(isset($_REQUEST['name'])){
 $name = $_REQUEST['name'];
 if($name == ""){ 
  $err_msg = " <img src='images/exclamation.gif' /> name can not be empty!";
 }else{
  $_SESSION['name'] = $name;
  $err_msg = "&nbsp;<img src='images/ok.gif' style='position:absolute;' />";
 }
}

//check email
if(isset($_REQUEST['email'])){
 $email = $_REQUEST['email'];
 if(valid_email($email)){
  $_SESSION['email'] = $email;
  $err_msg = "&nbsp;<img src='images/ok.gif' style='position:absolute;' />";
 }else{
  $err_msg = " <img src='images/exclamation.gif' /> Either your email is not valid, domain doesn't exists or there is no valid MX host available";
 } 
}
function valid_email($email) { 
 if( (preg_match('/(@.*@)|(\.\.)|(@\.)|(\.@)|(^\.)/', $email)) || 
  (preg_match('/^.+\@(\[?)[a-zA-Z0-9\-\.]+\.([a-zA-Z]{2,3}|[0-9]{1,3})(\]?)$/',$email)) ) { 
  $host = explode('@', $email);
  if (function_exists('checkdnsrr')) {
   if(checkdnsrr($host[1].'.', 'MX') ) return true;
   if(checkdnsrr($host[1].'.', 'A') ) return true;
   if(checkdnsrr($host[1].'.', 'CNAME') ) return true;
  }
  return true;
 }
 return false;
 }
if (!function_exists('checkdnsrr')) {
 function checkdnsrr($host, $type = '') {
  if(!empty($host)) {
   if($type == '') $type = "MX";
   @exec("nslookup -type=$type $host", $output);
   while(list($k, $line) = each($output)) {
    if(eregi("^$host", $line)) {
     return true;
    }
   }
   return false;
  }
 }
}
//end email
//check tel
if(isset($_REQUEST['tel'])){
 $x_tel = false;
 $tel = $_REQUEST['tel'];
 if($tel == ""){ 
  $err_msg = " <img src='images/exclamation.gif' /> Tel can not be empty!";
 }elseif(!is_numeric(str_replace(" ","",$tel))){
  $err_msg = " <img src='images/exclamation.gif' /> Tel can only be numbers!";
  $x_tel = false;
 }else{
  $x_tel = true;
  $_SESSION['tel'] = $tel;
  $err_msg = "&nbsp;<img src='images/ok.gif' style='position:absolute;' />";
 }
}
//message
if(isset($_REQUEST['message'])){
 $message = $_REQUEST['message'];
 if($message == ""){ 
  $err_msg = " <img src='images/exclamation.gif' /> message can not be empty!";
 }elseif(strlen($message) <= 10){
  $err_msg = " <img src='images/exclamation.gif' /> message too short. min. 10 chars";
 }else{
  $message = str_replace("%0A","<br />",$message);//%0D
  $message = str_replace("%0D","<br />",$message);//
  $message = str_replace("%20"," ",$message);
  $message = str_replace(chr(10),"<br />",$message);
  $_SESSION['message'] = str_replace(chr(13),"<br />",$_SESSION['message']);
  $err_msg = "&nbsp;<img src='images/ok.gif' style='position:absolute;' />";
 }
}
//send email
if(isset($_REQUEST['send_email'])){
 $get_mail_out = $_REQUEST['send_email'];
 if($get_mail_out == "true"){
  if(isset($_SESSION['name']) &&
     isset($_SESSION['email']) &&
     isset($_SESSION['tel']) &&
     isset($_SESSION['message'])){
    $from = "info@eire-webdesign.ie";
    $bcc = "mail@eire-webdesign.ie";
    $subject = ":: Contact from eire-webdesign";
    $now = date("d/m/Y H:i:s");
    $mime_boundary=md5(time());
    # Common Headers
    $headers = "MIME-Version: 1.0\r\n".
        "Content-type: text/html; charset=iso-8859-1\r\n".
        "From: \"Louie\" <".$from.">\r\n".
        "To: \"".@$_SESSION['name']."\" <".@$_SESSION['email'].">\r\n".
        "Date: ".date("r")."\r\n".
        "Subject: ".$subject."\r\n";   
    $msg = "Name: ".$_SESSION['name']."<br />";
    $msg .= "Email: ".$_SESSION['email']."<br />";
    $msg .= "Tel: ".$_SESSION['tel']."<br />";
    $msg .= "Message: ".$_SESSION['message']."<br />";
     //send email out
     ini_set(sendmail_from,'info@eire-webdesign.ie');  // the INI lines are to force the From Address to be used !
     mail($_SESSION['email'], $subject, $msg, $headers); 
     $msg = "";
     session_destroy();
     $err_msg = "<span class='red'><img src='images/ok.gif' />&nbsp;Email sent! Thank you.<br /></span>";
   }else{
    $err_msg = "<span class='red'>We have encounter an error sending your email.<br>
   Please try again later!<br />
   Click <a href='index.php?page=contact' title='go back'>&laquo; here</a> to go back.</span>";
   }
 }
}
echo $err_msg;//echo response.

404 username not found · #8 (**permalink**) 26-03-2007, 06:02 PM

After a marathon weekend of coding, I finally finished it (is it ever really finished?)... as expected the logic & functionality was easy, but I had a lot of reading to do about mail() injection.

I think I've plugged the injection holes... at least for the limited type of data I've got it configured to accept (I can afford to be strict and unforgiving).

daryllsheridan · #9 (**permalink**) 26-03-2007, 10:00 PM

Dont suppouse you want to share the knowledge, kinda looking for something similar but wouldnt have a clue how to go about it

404 username not found · #10 (**permalink**) 26-03-2007, 11:06 PM

Do you have questions on writing one? or are you just looking for a script?

Where I'm at now, it fits the bill for the site it's being used on and not much else... try'n plug any other form element into it and see how fast you have to write more code.

Unless you know your way around regular expressions and want to spend a few hours adding functions, I'd steer clear of my script

A more mature/flexible formmail script I was using prior to doing my own was the one here:
http://www.boaddrink.com
It seems good and was quite easy to set up, and as well as having the features there's a support forum for it... so any setup questions/problems you have with it are probably already answered.

tbh I could have saved myself hours of wheel-reinventing if I'd just had the patience to figure out how to customise it the way I wanted... oh well.