Can PHP form selection determine recipient?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
deedee815
Forum Newbie
Posts: 3
Joined: Sun Apr 02, 2006 7:39 pm

Can PHP form selection determine recipient?

Post by deedee815 »

I was curious if this is possible. I would like to create a very simple form requesting name, email and a selection of services. Is it possible to have the services selected determine who the email is sent to? For example, if the user selects apples, the email is sent to red@color.com but if the user selects bananas the email is sent to yellow@color.com? I currently use Matt's Form Mail script to create my simple forms. Thanks for any assistance.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

it's a simple lookup of what selection sends to what address(es). I often use an associative array for the mapping.
User avatar
charp
Forum Commoner
Posts: 85
Joined: Sun Oct 26, 2003 3:00 pm
Location: Rancho Cucamonga, Calif. USA

Post by charp »

How about something like this:

Code: Select all

<select name="recipient">
<option value="red@color.com">apples</option>
<option value="yellow@color.com">bananas</option>
</select>
No need for php.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

...and wide open to abuse by trusting the input.
User avatar
charp
Forum Commoner
Posts: 85
Joined: Sun Oct 26, 2003 3:00 pm
Location: Rancho Cucamonga, Calif. USA

Post by charp »

Not that I want to see a cookbook on how to abuse forms, but can you hint at how the abuse can happen?

Also, the nms Project has a drop in replacement for Matt's formmail script. In this replacement script, you can hide the recipeint's email address in the CGI script itself. Instead of value="red@color.com" you use value="1". Matt's script might have had this feature as well. I can't remember.

At any rate, would this close that abuse gap?
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

charp wrote:Not that I want to see a cookbook on how to abuse forms, but can you hint at how the abuse can happen?

Also, the nms Project has a drop in replacement for Matt's formmail script. In this replacement script, you can hide the recipeint's email address in the CGI script itself. Instead of value="red@color.com" you use value="1". Matt's script might have had this feature as well. I can't remember.

At any rate, would this close that abuse gap?
For one thing an email harvesting bot would pick up those addresses and spam the hell out of them (same as mailto I guess). But worse, you can send whatever POST/GET data to a server you like... therefore some idiot could very well decide to use your nice little script as a means of sending out emails to other people, or at the least, cause a big annoyance.

You're best off having all the stuff done on the server side.

There's apart from the addresses being visible there's nothing wrong with that providing you sanitize things before going ahead and processing what the user sends to you (i.e. check the addresses are valid).
Post Reply