Can PHP form selection determine recipient?
Moderator: General Moderators
Can PHP form selection determine recipient?
I was curious if this is possible. I would like to create a very simple form requesting name, email and a selection of services. Is it possible to have the services selected determine who the email is sent to? For example, if the user selects apples, the email is sent to red@color.com but if the user selects bananas the email is sent to yellow@color.com? I currently use Matt's Form Mail script to create my simple forms. Thanks for any assistance.
- charp
- Forum Commoner
- Posts: 85
- Joined: Sun Oct 26, 2003 3:00 pm
- Location: Rancho Cucamonga, Calif. USA
How about something like this:
No need for php.
Code: Select all
<select name="recipient">
<option value="red@color.com">apples</option>
<option value="yellow@color.com">bananas</option>
</select>- charp
- Forum Commoner
- Posts: 85
- Joined: Sun Oct 26, 2003 3:00 pm
- Location: Rancho Cucamonga, Calif. USA
Not that I want to see a cookbook on how to abuse forms, but can you hint at how the abuse can happen?
Also, the nms Project has a drop in replacement for Matt's formmail script. In this replacement script, you can hide the recipeint's email address in the CGI script itself. Instead of value="red@color.com" you use value="1". Matt's script might have had this feature as well. I can't remember.
At any rate, would this close that abuse gap?
Also, the nms Project has a drop in replacement for Matt's formmail script. In this replacement script, you can hide the recipeint's email address in the CGI script itself. Instead of value="red@color.com" you use value="1". Matt's script might have had this feature as well. I can't remember.
At any rate, would this close that abuse gap?
- Chris Corbyn
- Breakbeat Nuttzer
- Posts: 13098
- Joined: Wed Mar 24, 2004 7:57 am
- Location: Melbourne, Australia
For one thing an email harvesting bot would pick up those addresses and spam the hell out of them (same as mailto I guess). But worse, you can send whatever POST/GET data to a server you like... therefore some idiot could very well decide to use your nice little script as a means of sending out emails to other people, or at the least, cause a big annoyance.charp wrote:Not that I want to see a cookbook on how to abuse forms, but can you hint at how the abuse can happen?
Also, the nms Project has a drop in replacement for Matt's formmail script. In this replacement script, you can hide the recipeint's email address in the CGI script itself. Instead of value="red@color.com" you use value="1". Matt's script might have had this feature as well. I can't remember.
At any rate, would this close that abuse gap?
You're best off having all the stuff done on the server side.
There's apart from the addresses being visible there's nothing wrong with that providing you sanitize things before going ahead and processing what the user sends to you (i.e. check the addresses are valid).