Join 3,512 readers in helping fund MetaFilter (Hide)

Tags:

PHP E-mail script
August 23, 2006 8:50 AM   Subscribe

PHP question: I need a very simple PHP form that takes form input and sends it via E-mail on my webserver to a fixed, hardcoded address (me).

This is so that users can contact me via their browser without spammers harvesting my address. All I want is basically a "From", "Subject", and "Message body". Since I'm not experienced in PHP, I can't write such a script, nor can I tell whether the samples I find on the Internet are secure or vulnerable... I figure I'm better off trying with experienced PHPers here.

I've used an obfuscation script to hide my E-mail address since 2003, but it appears spammers are now circumventing those.

Thanks in advance!
posted by chef_boyardee to Computers & Internet (9 answers total)
 
start here.

but spammers will write scripts to auto-submit to that form, so this may not be a good solution.
posted by nitsuj at 9:11 AM on August 23, 2006


There's a good example of how to send an email on this thread (from phpbuilder.com). Read the third post.. good example of how to do a simple contact form.

Basically, just set up a form to post to another script that sends the email, outputting a confirmation message if it was sent properly.

Of course, you'll probably want to look into form validation so that you don't get some bogus information, but you can find some more info on phpbuilder.. plenty of resources there.
posted by thewhitenoise at 9:12 AM on August 23, 2006


I know you said PHP, but most of the best formmail scripts out there are Perl/CGI and the strong likelihood is that your web host also supports Perl/CGI. If not, feel free to ignore me :-).

I suggest NMS Formmail. It covers a lot of the security and spam vulnerabilities found in other scripts (eg, your email address can be stored in a separate, non-world-readable file).

Some good info is available in this thread from my ISP's support forum. Some of the details will likely be different on your host, but there's still some good info there.
posted by santry at 9:53 AM on August 23, 2006


PHPMailer.
posted by brownpau at 10:05 AM on August 23, 2006


Chef, I started from scratch and wrote my own PHP script to do this -- and I wouldn't exactly recommend it, as (like others have said) web-based "contact me" forms have become a haven for spammers and there are too many tricks and gotchas to make the learning curve worth it. I've put a LOT of time into my script over the past two years, time that you probably don't want to spend as you learn all the ins and outs of what you need to watch for in PHP's mail methods and what spammers do to try to defeat the form. In the end, I like what I've come up with, but I don't know that I would have done it from scratch two years ago if someone had told me that I'd be tinkering for this long to get it right. I'm happy to share my current script if you're interested; my email is in my profile.

Just to document it for others: my form uses hard-coded recipient addresses, and does checking of what the user enters for the sender's name, email address, and subject to make sure that it isn't an attempt to overload those fields and create new, unanticipated mail headers which will facilitate spamming. It grabs the referrer info for the hit that brought the user to the web form AND the hit that submitted the web form and adds both to (similarly-checked) custom mail headers so that I can watch for any trends in spamming; it also grabs the user's IP address and adds that to a custom mail header. Finally, I've hard-coded in a limit of three URLs in an email message -- after that, the mail just gets rejected outright -- since I've had a spate of messages lately which just have 100+ spammed URLs in them. All in all, it works well; being linked from a Google PR7 page, the form gets about 1-2 spams a day, totally manageable.
posted by delfuego at 10:45 AM on August 23, 2006


You're looking for Tectite FormMail.
posted by scoria at 11:23 AM on August 23, 2006


if(!isset($_POST[submit])){
?>
< .form action="" method="POST">
Name: < .input text name="name" />< .br />
Email: < .input text name="email" />< .br />
Message: < .textarea name="message" rows="7" cols="50">< ./textarea>< .br />
< .input submit name="submit" value="Send Message">
< ./form>
< .?br> } else {
$message = "
Someone has sent you a message!
$_POST[name] writes:
$_POST[message]
---------------
";
mail('chef@boyardee.com','Website Contact Form',$message,"From: $_POST[name] < $_post[email]>");
}


take out the dots : )
posted by petsounds at 12:52 PM on August 23, 2006


petsounds: I can use your script to spam chef@boyardee.com, now.
posted by thanotopsis at 12:58 PM on August 23, 2006


I second the vote to look at NMS Formmail. It's an unusual host that can't do simple Perl CGI scripts.

And, care to expand on this?

"I've used an obfuscation script to hide my E-mail address since 2003, but it appears spammers are now circumventing those."

I'm intrigued as to what you might mean.
posted by AmbroseChapel at 1:56 PM on August 23, 2006


« Older Need help with managing volume...   |  Is there a special term that d... Newer »
This thread is closed to new comments.