Hi all,

Newbie first-timer about to set up a website, here.

Have the HTML for my site nearly ready to go. Selection of my host is almost done too.

But...
I've not have much experience with any scripting which will be needed to provide any reasonable functionality to the site. One is for my site Guestbook, the other is a ContactMe Web-mail form.

My question here now, relates to the latter.

According to this article, Is Your Website Form Turning You into a Spammer? (http://www.gryphynmedia.com/articles/formmail.html) a number of commonly used scripts are flawed and vulnerable. This applies to both CGI and PHP -based systems.
I have not as yet been able to find clear consensus about what or which is considered the best web-mail script to choose to use. And despite my newbie status, I'm keen to try and do this right and properly.

Do any forum scripting gurus have any recommendations or even setup guides about this that they could offer me?



Additional Links/References:

alt.html FAQ on Formmail and its Vulnerabilities (http://www.html-faq.com/cgi/?secureformmail)
The Kionic thread on Securing PHP Forms (http://www.kionic.com/forums/showthread.php?t=37)
The PHP Manual on Mail Functions, and in particular, the User Contributed notes (http://www.php.net/manual/en/ref.mail.php#59640)

You just want a form that will send you an e-mail?

I just use this JavaScript form that somebody posted (on this forum) under Javascripts.



<html>
<head>
<script>
// Enter the subject to appear in the email subject line
subject = "Form Data";

// Enter your email address
email = "yourname@yourdomain.com";

/* If you want to change the name of the form, just open this script in
notepad and click on edit, then click replace. Enter "yourFormName" as the
search term and enter the new form name as the replace term. */

function sendform() {

if (document.yourFormName.html.checked) {

var names = new Array();
var values = new Array();

for (j = 0; j < document.yourFormName.length - 2; ++j) {
names[j] = document.yourFormName.elements[j].name;
values[j] = document.yourFormName.elements[j].value;
}

var content = "<html>\n<head>\n<title>" + names[0] + ": " + values[0] + "</title>\n</head>\n<body>\n<table cellpadding=5 cellspacing=0 border=1>\n";

for (i in names) {
content += "<tr>\n<td align=center><b>" + names[i] + ":</b></td>\n<td align=center>" + values[i] + "</td>\n</tr>\n";
}

content += "</table>\n</body>\n</html>";
window.open("mailto:" + email + "?subject=" + subject + "&body=" + content,"_self");

} else {

var data = "";
for (j = 0; j < document.yourFormName.length - 2; ++j) {
if (j != document.yourFormName.length - 3) {
data += document.yourFormName.elements[j].name + ": " + document.yourFormName.elements[j].value + "&body=";
} else {
data += document.yourFormName.elements[j].name + ": " + document.yourFormName.elements[j].value;
}
}

window.open("mailto:" + email + "?subject=" + subject + "&body=" + data,"_self");

}

}


</script>
</head>
<body>
<center>
<form name="yourFormName">

<!-- enter your input tags below -->
<input type="text" name="Name" value="Jim Jones"><br><br>
<input type="text" name="Address" value="19700 S 148th Ter"><br><br>
<input type="text" name="Phone" value="467-567-0098"><br><br>

<!-- do not alter the tags below -->
<input type="button" value="Send" onclick="sendform()"> &nbsp;

<input type="checkbox" name="html" value=""> Include HTML
</form>
</center>
</body>
</html>


I think its a good code, and I havent had any problems with it.

Posting the full email adress in the document sure isn't a great way to avoid spam...

Simple email form handlers appear to be vulnerable to email injection; there are ways to avoid this though, and server side handlers offer far better ways of combatting email injection then JavaScript solutions.
Read a number of these resources (http://www.kionic.com/forums/showthread.php?t=37) for a description of the problem and ways to prevent it; I especially liked this one (http://www.securephpwiki.com/index.php/Email_Injection).

Thanks for your both of your comments. I'd prefer to avoid the inpage JavaScript for this purpose. Something back-end seems to be more easier to lock-down.

The code injection article was very well written and clear -- I almost even understood it :p

Still no closer to making an informed existing code selection choice. But I guess I'm just going to have to keep on researching.