Jump to content

Formmail Security Holes!


Recommended Posts

Hello,

 

There has been a security hole found that allows formail to be used by unauthorized persons. In effect allowing spam to be sent from your domain. This hole is found in the following scripts.

 

formmail.cgi FormMail.cgi FormMail-clone.cgi formmail.pl FormMail.pl

 

We are disabling the following built in cPanel Scripts on all our servers effective the time of this email.

 

formmail.cgi FormMail.cgi FormMail-clone.cgi formmail.pl FormMail.pl

 

If your site is using any of the above, you will need to make changes to your web space and utilize a different email script. You may use the built in cgiemail, as this has not been identified as a problem.

 

This action is being done to prevent the unauthorized use of our servers.

Link to post
Share on other sites

Notes from a paranoid site manager;

 

I have been concerned about FTP account passwords also that I might pass out to various clients for transfer of technical data back and forth. Any chance these folders could be used for the same purpose?

 

Also, how would one do a check search to make sure form mail is not being used on one's site. I don't use it, but if someone were to breach the security password wall of my site they technically could set up such distribution points. Is there a serch means to check for all such files on a site to be deleted?

 

DB

Link to post
Share on other sites

Yeah, I have been using the docs to rewrite my forms now for cgiemail. The problem I have is I don't know on our servers the exact location of the script and where to post my ansi questions document. I can't finish the forms until I have the "action" line correct.

Link to post
Share on other sites

CGI EMail is a simple, easy-to-use script that takes the results of any form and sends them to you via email. Because it is already installed, minimal configuration is required to successfully use the script.

 

The following steps provide quick summarized

 

To configure CGI EMail:

 

Create an HTML form with a number of named input fields. Refer to this page for more detailed information of the action component of the form.

 

Create an email template (a .txt file) that displays the format in which you want your form information displayed in the email. Make sure all your form name codes are one word and in square brackets [].

 

Upload the .txt and form files to your site.

 

Go to your cgi-bin directory and change the file permissions on cgiecho and cgiemail to 755.

 

Test the script. The cgiecho script is designed for testing online, so you do not have to wait for email to be sent or received.

Link to post
Share on other sites

ahhhhhh! :lol:

 

Do you know how many of my clients use this script? And they are all very active sites (i.e. multiple orders per hour).

 

 

ahhhhh!

 

I guess the yard can wait!

 

B) :o :o :o

Edited by dsdemmin
Link to post
Share on other sites

Hello everyone... I have an option that has been working for me for several months. I was previously with another hosting company that forbid the use of FormMail many months ago.

 

I came across a PHP script that is written to take the same form inputs (hidden inputs) that FormMail uses.

 

After months of studying and using PHP, I've learned several ways to make this script even more secure...

Here's the final product of my work:

 

<?php

/*

##############################################################################

# PLEASE DO NOT REMOVE THIS HEADER!!!

#

# COPYRIGHT NOTICE

#

# FormMail.php v4.2

# (Originally v4.1b -- Fixed to illiminate spam gateway exploit)

# Fixed by Tom Parkison ( trparky@toms-world.org )

#

# Copyright 2000,2001 Ai Graphics and Joe Lumbroso © All rights reserved.

# Created 07/06/00   Last Modified 08/06/2001

# Joseph Lumbroso, http://www.aigraphics.com, http://www.dtheatre.com

#                  http://www.lumbroso.com/scripts/

##############################################################################

#

# This cannot and will not be inforced but I would appreciate a link back

# to any of these sites:

# http://www.dtheatre.com

# http://www.aigraphics.com

# http://www.lumbroso.com/scripts/

#

# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,

# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL

# THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR

# OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,

# ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR

# OTHER DEALINGS IN THE SOFTWARE.

#

##############################################################################

*/

 

// formmail version (for debugging mostly)

$version = "4.2";

 

$allowed_email_recipients_array = array('yoursite.com','www.yoursite.com');

 

# THIS IS REQUIRED FOR THE SCRIPT TO RUN.  YOU MUST FILL IT IN WITH YOUR

# DOMAIN NAME.  THIS IS TO CORRECT THE SPAM GATEWAY EXPLOIT IN v4.1b.

#

# THE VALUES CAN BE FULL EMAIL ADDRESSES OR JUST DOMAIN NAMES.

 

// referers.. domains/ips that you will allow forms to

// reside on.

$referers = array('yoursite.com','www.yoursite.com');

 

//Jack at Surefire Webdesign added this for anti-spam purposes

$recipient = "contact@yoursite.com";

$redirect = "http://www.yoursite.com/thanks.php";

 

// banned emails, these will be email addresses of people

// who are blocked from using the script (requested)

$banlist = array ('*@somedomain.com', 'user@domain.com', 'etc@domains.com');

 

// our mighty error function..

function print_error($reason,$type = 0) {

   global $version;

build_body($title, $bgcolor, $text_color, $link_color, $vlink_color, $alink_color, $style_sheet);

 

   // for missing required data

   if ($type == "missing") {

      ?>

   <p> </p>

      <h2>The form was not submitted for the following reasons:</h2>

     <ul><?php

     print("$reason.\n");

     ?></ul>

     <p>Please use your browser's back button to return to the form and try again.</p>

  <?php

   } else

   {

   // every other error

      ?>

      <h2>The form was not submitted because of the following reasons:</h2>

<?php

   }

   print("<br><br>\n");

   //echo "<small>This form is powered by <a href=\"http://www.lumbroso.com/scripts/\">Jack's'>http://www.lumbroso.com/scripts/\">Jack's Formmail.php $version!/a></small>\n\n";

  

}

 

// function to check the banlist

// suggested by a whole lot of people.. Thanks

function check_banlist($banlist, $email) {

   if (count($banlist)) {

      $allow = true;

      foreach($banlist as $banned) {

         $temp = explode("@", $banned);

         if ($temp[0] == "*") {

            $temp2 = explode("@", $email);

            if (trim(strtolower($temp2[1])) == trim(strtolower($temp[1])))

               $allow = false;

         } else {

            if (trim(strtolower($email)) == trim(strtolower($banned)))

               $allow = false;

         }

      }

   }

   if (!$allow) {

      print_error("You are using from a <b>banned email address.</b>");

   }

}

 

// function to check the referer for security reasons.

// contributed by some one who's name got lost.. Thanks

// goes out to him any way.

function check_referer($referers) {

   if (count($referers)) {

      $found = false;

      $temp = explode("/",getenv("HTTP_REFERER"));

      $referer = $temp[2];

      for ($x=0; $x < count($referers); $x++) {

         if (eregi ($referers[$x], $referer)) {

            $found = true;

         }

      }

      if (!getenv("HTTP_REFERER"))

         $found = false;

      if (!$found){

         print_error("You are coming from an <b>unauthorized domain.</b>");

         error_log("[FormMail.php] Illegal Referer. (".getenv("HTTP_REFERER").")", 0);

      }

         return $found;

      } else {

         return true; // not a good idea, if empty, it will allow it.

   }

}

if ($referers)

   check_referer($referers);

 

if ($banlist)

   check_banlist($banlist, $email);

 

// parse the form and create the content string which we will send

function parse_form($array) {

   // build reserved keyword array

   $reserved_keys[] = "MAX_FILE_SIZE";

   $reserved_keys[] = "required";

   $reserved_keys[] = "redirect";

   $reserved_keys[] = "email";

   $reserved_keys[] = "require";

   $reserved_keys[] = "path_to_file";

   $reserved_keys[] = "recipient";

   $reserved_keys[] = "subject";

   $reserved_keys[] = "bgcolor";

   $reserved_keys[] = "text_color";

   $reserved_keys[] = "link_color";

   $reserved_keys[] = "vlink_color";

   $reserved_keys[] = "alink_color";

   $reserved_keys[] = "title";

   $reserved_keys[] = "missing_fields_redirect";

   $reserved_keys[] = "env_report";

   if (count($array)) {

      while (list($key, $val) = each($array)) {

         // exclude reserved keywords

         $reserved_violation = 0;

         for ($ri=0; $ri<count($reserved_keys); $ri++) {

            if ($key == $reserved_keys[$ri]) {

               $reserved_violation = 1;

            }

         }

         // prepare content

         if ($reserved_violation != 1) {

            if (is_array($val)) {

               for ($z=0;$zcount($val);$z++) {

                  $content .= "$key: $val[$z]\n";

               }

            } else {

               $content .= "$key: $val\n";

            }

         }

      }

   }

   return $content;

}

 

// mail the content we figure out in the following steps

function mail_it($content, $subject, $email, $recipient, $allowed_email_recipients_array) {

 

 

// INCLUDED TO FIX SPAM GATEWAY EXPLOIT

 

$recipient_array = explode(",", $recipient);

$size_of_recipients_array = count($recipient_array);

$size_of_allowed_recipients_array = count($allowed_email_recipients_array);

for ($recipients_array_count = 0; $recipients_array_count != $size_of_recipients_array; $recipients_array_count++) {

for ($allowed_recipients_array_count = 0; $allowed_recipients_array_count != $size_of_allowed_recipients_array; $allowed_recipients_array_count++) {

  if ( stristr($recipient_array[$recipients_array_count],$allowed_email_recipients_array[$allowed_recipients_array_count]) ) {

   if ($new_recipient == "") {

    $new_recipient = $recipient_array[$recipients_array_count];

   }

   else {

    $new_recipient .= ",";

    $new_recipient .= "$recipient_array[$recipients_array_count]";

   }

  }

}

}

 

$recipient = $new_recipient;

 

 

// INCLUDED TO FIX SPAM GATEWAY EXPLOIT

 

        mail($recipient, $subject, $content, "From: $email\r\nReply-To: $email\r\nX-Mailer: DT_formmail");

}

 

// take in the body building arguments and build the body tag for page display

function build_body($title, $bgcolor, $text_color, $link_color, $vlink_color, $alink_color, $style_sheet) {

   if ($style_sheet)

      echo "<LINK rel=STYLESHEET href=\"$style_sheet\" Type=\"text/css\">\n";

   if ($title)

      echo "<title>$title</title>\n";

   if (!$bgcolor)

      $bgcolor = "#FFFFFF";

   if (!$text_color)

      $text_color = "#000000";

   if (!$link_color)

      $link_color = "#0000FF";

   if (!$vlink_color)

      $vlink_color = "#FF0000";

   if (!$alink_color)

      $alink_color = "#000088";

   if ($background)

      $background = "background=\"$background\"";

   echo "<body bgcolor=\"$bgcolor\" text=\"$text_color\" link=\"$link_color\" vlink=\"$vlink_color\" alink=\"$alink_color\" $background>\n\n";

}

 

// check for a recipient email address and check the validity of it

// Thanks to Bradley miller (bradmiller@accesszone.com) for pointing

// out the need for multiple recipient checking and providing the code.

$recipient_in = split(',',$recipient);

for ($i=0;$i<count($recipient_in);$i++) {

   $recipient_to_test = trim($recipient_in[$i]);

   if (!eregi("^[_\.0-9a-z-]+@([0-9a-z][0-9a-z-]+\.)+[a-z]{2,3}$", $recipient_to_test)) {

      print_error("b>I NEED VALID RECIPIENT EMAIL ADDRESS ($recipient_to_test) TO CONTINUE</b>");

   }

}

 

// This is because I originally had it require but too many people

// were used to Matt's Formmail.pl which used required instead.

if ($required)

   $require = $required;

// handle the required fields

if ($require) {

   // seperate at the commas

   $require = ereg_replace( " +", "", $require);

   $required = split(",",$require);

   for ($i=0;$i<count($required);$i++) {

      $string = trim($required[$i]);

      // check if they exsist

      if((!(${$string})) || (!(${$string}))) {

         // if the missing_fields_redirect option is on: redirect them

         if ($missing_fields_redirect) {

            header ("Location: $missing_fields_redirect");

            exit;

         }

         $require;

         $missing_field_list .= "<b>Missing: $required[$i]</b><br>\n";

      }

   }

   // send error to our mighty error function

   if ($missing_field_list)

      print_error($missing_field_list,"missing");

}

 

// check the email fields for validity

if (($email) || ($EMAIL)) {

   $email = trim($email);

   if ($EMAIL)

      $email = trim($EMAIL);

   if (!eregi("^[_\.0-9a-z-]+@([0-9a-z][0-9a-z-]+\.)+[a-z]{2,3}$", $email)) {

      print_error("your b>email address</b> is invalid");

   }

   $EMAIL = $email;

}

 

// check zipcodes for validity

if (($ZIP_CODE) || ($zip_code)) {

   $zip_code = trim($zip_code);

   if ($ZIP_CODE)

      $zip_code = trim($ZIP_CODE);

   if (!ereg("(^[0-9]{5})-([0-9]{4}$)", trim($zip_code)) && (!ereg("^[a-zA-Z][0-9][a-zA-Z][[:space:]][0-9][a-zA-Z][0-9]$", trim($zip_code))) && (!ereg("(^[0-9]{5})", trim($zip_code)))) {

      print_error("your <b>zip/postal code</b> is invalid");

   }

}

 

// check phone for validity

if (($PHONE_NO) || ($phone_no)) {

   $phone_no = trim($phone_no);

   if ($PHONE_NO)

      $phone_no = trim($PHONE_NO);

   if (!ereg("(^(.*)[0-9]{3})(.*)([0-9]{3})(.*)([0-9]{4}$)", $phone_no)) {

      print_error("your <b>phone number</b> is invalid");

   }

}

 

// check phone for validity

if (($FAX_NO) || ($fax_no)) {

   $fax_no = trim($fax_no);

   if ($FAX_NO)

      $fax_no = trim($FAX_NO);

   if (!ereg("(^(.*)[0-9]{3})(.*)([0-9]{3})(.*)([0-9]{4}$)", $fax_no)) {

      print_error("your <b>fax number</b> is invalid");

   }

}

 

// prepare the content

$content = parse_form($HTTP_POST_VARS);

 

// check for a file if there is a file upload it

if ($file_name) {

   if ($file_size > 0) {

      if (!ereg("/$", $path_to_file))

         $path_to_file = $path_to_file."/";

      $location = $path_to_file.$file_name;

      if (file_exists($path_to_file.$file_name))

         $location .= ".new";

      copy($file,$location);

      unlink($file);

      $content .= "Uploaded File: ".$location."\n";

   }

}

 

// second file.

if ($file2_name) {

   if ($file_size > 0) {

      if (!ereg("/$", $path_to_file))

         $path_to_file = $path_to_file."/";

      $location = $path_to_file.$file2_name;

      if (file_exists($path_to_file.$file2_name))

         $location .= ".new";

      copy($file2,$location);

      unlink($file2);

      $content .= "Uploaded File: ".$location."\n";

   }

}

 

// if the env_report option is on: get eviromental variables

if ($env_report) {

   $env_report = ereg_replace( " +", "", $env_report);

   $env_reports = split(",",$env_report);

   $content .= "\n------ eviromental variables ------\n";

   for ($i=0;$i<count($env_reports);$i++) {

      $string = trim($env_reports[$i]);

      if ($env_reports[$i] == "REMOTE_HOST")

         $content .= "REMOTE HOST: ".$REMOTE_HOST."\n";

      else if ($env_reports[$i] == "REMOTE_USER")

         $content .= "REMOTE USER: ". $REMOTE_USER."\n";

      else if ($env_reports[$i] == "REMOTE_ADDR")

         $content .= "REMOTE ADDR: ". $REMOTE_ADDR."\n";

      else if ($env_reports[$i] == "HTTP_USER_AGENT")

         $content .= "BROWSER: ". $HTTP_USER_AGENT."\n";

   }

}

 

// if the subject option is not set: set the default

if (!$subject)

   $subject = "Form submission";

 

// send it off

mail_it(stripslashes($content), stripslashes($subject), $email, $recipient, $allowed_email_recipients_array);

 

// if the redirect option is set: redirect them

if ($redirect) {

   header ("Location: $redirect");

   exit;

} else {

   print "Thank you for your submission\n";

   echo "<br><br>\n";

   echo "<small>This form is powered by <a href=\"http://www.lumbroso.com/scripts/\">Jack's Formmail.php $version!</a></small>\n\n";

   exit;

}

 

// <----------    THE END    ----------> // 

 

Ok... the first thing you'll notice is that the original work is not mine... I revamped a script that you can find here:

 

Jack's Formmail

 

The original script is really good, but I had two main complaints

1- Security still too lax

2- I wanted the recipient email address embedded in the code so I wouldn't have to expose it in my html on the form.

 

The security hole was fixed with a patch from www.toms-world.org but apparently the links to this patch don't work anymore... but the patch is included in the above script.

 

The recipient email address was brought inside the form so that now you change the script for your particular site by replacing "yoursite.com" with your actual site url.

 

To use this script, do the following:

  • Copy the script to a text editor
  • Change all instances of "yoursite.com" to your actual url
  • Save it as something.php (example: sendit.php)
  • Create a folder in your website for this script (example: phpbin)
  • FTP the script to the folder
  • Create your form and POST the form to the script you just created
  • Create a thank you page for the visitor to see after they post the form... name it whatever you want, but you have to change the part in the script that redirects the visitor to a thanks.php page

That's it. You can also create a hidden input field in your form to 'require' certain inputs... just like FormMail.cgi

 

I sincerely hope this helps... I've used this script for months and it works perfectly. In addition, most hackers are looking for FormMail.cgi so just changing the name of the script to somethingelse.php is a step towards security.

Edited by surefire
Link to post
Share on other sites

Thanks

 

There is a small error in the line

$referers = array(yoursite.com','www.yoursite.com');
which should be
$referers = array('yoursite.com','www.yoursite.com');

where a quote is missing.

 

Andy

Link to post
Share on other sites

>Fatal error: Call to undefined function: () in /home/hungryh/public_html/formmail.php on line 171

 

Are you sure that this is the location of your script?

 

If you followed the instructions, you would have loaded the script into a different directory then public_html (e.g. phpbin). Also, I would change the name of your script from formmail to something else (a little more security does not hurt).

Link to post
Share on other sites

karmacriminal:

 

No it does not; you should put it in another directory just for organizational reasons. I just wanted to make sure that you had the correct path to call the script.

 

Not sure why yours is not working.

 

Make sure it is not something simple like 'case' (upper vs. lower).

 

 

I am tired of this script! :lol: I have just changed eight sites (23 scripts) and more to go... they can wait. I am going to go mow the lawn and let the gray matter cool down.

 

Still can not figure out how to omit empty fields

 

If ($content .== "") ..... don't print the son-of-gun!

 

Be back later (hope somebody figures the empty field thing during my respite).

Link to post
Share on other sites

cPanel has just released a fix for the formail.pl rewrite security hole.

 

Dont get excited, I will need to watch this fix for a bit to make sure its a good and viable fix.

 

I will talk with Alan on Monday and see where we stand.

Link to post
Share on other sites

I'm not sure if it is related or not but yesterday I received a returned email due to invalid address. I knew that I had not sent out any emails so this must have been a spoofed message or the result of this hole (however, the forms I use on the web site are still working so they must not be part of what you disabled). Anyway, today when I checked email I have ~200 messages sent to various addresses, ie: xyz@mysite.com, where xyz is changing. Of course these are all from the mortgage lender, ****, and I AM A SPAMMER spammers. What is the best way to reject anyname@mysite.com and only allow the specific names I've defined?

 

Thanks

Link to post
Share on other sites

Support referred me to read these posts for the Formmail issue.

My reason for submitting a support ticket is because I do not have Cgiemail in my cgi-bin. The only script there is the one I put there when I first loaded my site. (that script is a formmail variation that I had renamed for security, it was working fine before it was deactivated by TCH)

 

Can somebody tell me where to look for Cgiemail, my Cpanel shows that it is loaded, but I cannot access it this way.

Whoever answered my support ticket didn't seem to read my question nor know if this forum could answer it....frustrating!

Thank you in advance for any help,

Ray

www.brotherhoodmusic.com

Link to post
Share on other sites

Hang in there - not sure I can tell you anything tonight. But I do have two web sites on TCH where I do have the cgiemail and cgiecho files in my local cgi-bin. However, I just tried to go to another one of my web sites, and it did not have it - and even after trying to enable cgiemail -- it didn't show up.

 

But it's too late for me to work on it now. Perhaps tomorrow!

 

-kw

Link to post
Share on other sites

Ray and KW, the script posted on the first page of this thread works well. It has the security you are looking for and is easy to get going. I too was trying to get cgiemail to work this morning until I just gave up on it and went with the script from this thread.

Link to post
Share on other sites

Hello again...

 

Glad to see this script is working well for most of you. I can only take credit for the minor modifications.

 

Anyhow, someone pointed out a line of code that I had neglected to delete from the script. My apologies.

 

I hate to repost the entire script again... but I want to put up a copy that is free of unnecessary lines of code I added.

 

So here it is:

 

***Special Note***

When you copy this script you MUST make sure that the text editor doesn't artificially wrap longer lines of code onto the next line. I've rewritten the code to try to make sure that this won't be an issue... but your best bet is a text editor like NotePad that will stretch the code as long as required. WordPad is an example of a text editor that you should NOT use because it will cut long lines of code into several lines and could change the way the server reads the PHP code.

 

Also... make sure that the code starts at the very top of you file. In other words, there can't be a blank line before <?php If you do, then you'll get a message that says Unable To Send Headers on Line 373... or something very similar.

***End Notes***

 

 

<?php

/*

##############################################################################

# PLEASE DO NOT REMOVE THIS HEADER!!!

#

# COPYRIGHT NOTICE

#

# FormMail.php v4.2

# (Originally v4.1b -- Fixed to illiminate spam gateway exploit)

# Fixed by Tom Parkison ( trparky@toms-world.org )

#

# Copyright 2000,2001 Ai Graphics and Joe Lumbroso © All rights reserved.

# Created 07/06/00  Last Modified 08/06/2001

# Joseph Lumbroso, http://www.aigraphics.com, http://www.dtheatre.com

#                  http://www.lumbroso.com/scripts/

##############################################################################

#

# This cannot and will not be inforced but I would appreciate a link back

# to any of these sites:

# http://www.dtheatre.com

# http://www.aigraphics.com

# http://www.lumbroso.com/scripts/

#

# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,

# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL

# THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR

# OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,

# ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR

# OTHER DEALINGS IN THE SOFTWARE.

#

##############################################################################

*/

 

// formmail version (for debugging mostly)

$version = "4.2";

 

//change the following urls to match the information at your own personal website

$allowed_email_recipients_array = array('yoursite.com','www.yoursite.com');

 

# THIS IS REQUIRED FOR THE SCRIPT TO RUN.  YOU MUST FILL IT IN WITH YOUR

# DOMAIN NAME.  THIS IS TO CORRECT THE SPAM GATEWAY EXPLOIT IN v4.1b.

#

# THE VALUES CAN BE FULL EMAIL ADDRESSES OR JUST DOMAIN NAMES.

 

/*referers.. domains/ips that you will allow forms to reside on.

change urls to match your site url */

$referers = array('yoursite.com','www.yoursite.com');

 

//Jack at Surefire Webdesign added this for anti-spam purposes

/*change this to a valid email address at your site and it must match one of the urls in $allowed_email_recipients array listed above */

$recipient = "contact@yoursite.com";

 

/*rewrite the following line of code to match the exact location of your thankyou page... if you have one.

It's a good idea to create one IMHO*/

$redirect = "http://www.yoursite.com/thanks.php";

 

 

 

/* banned emails, these will be email addresses of people

who are blocked from using the script (requested) */

 

$banlist = array ('*@somedomain.com', 'user@domain.com', 'etc@domains.com');

 

// our mighty error function..

function print_error($reason,$type = 0) {

  global $version;

build_body($title, $bgcolor, $text_color, $link_color, $vlink_color, $alink_color, $style_sheet);

 

 

  // for missing required data

  if ($type == "missing") {

      ?>

  <p> </p>

      <h2>The form was not submitted for the following reasons:</h2>

    <ul><?php

    print("$reason.\n");

    ?></ul>

    <p>Please use your browser's back button to return to the form and try again.</p>

  <?php

  } else

  {

  // every other error

      ?>

      <h2>The form was not submitted because of the following reasons:</h2>

<?php

  }

  print("<br><br>\n");

echo "<small>This form is powered by <a href=\"http://www.lumbroso.com/scripts/\">Jack's'>http://www.lumbroso.com/scripts/\">Jack's Formmail.php $version!/a></small>\n\n";

 

}

 

// function to check the banlist

// suggested by a whole lot of people.. Thanks

function check_banlist($banlist, $email) {

  if (count($banlist)) {

      $allow = true;

      foreach($banlist as $banned) {

        $temp = explode("@", $banned);

        if ($temp[0] == "*") {

            $temp2 = explode("@", $email);

            if (trim(strtolower($temp2[1])) == trim(strtolower($temp[1])))

              $allow = false;

        } else {

            if (trim(strtolower($email)) == trim(strtolower($banned)))

              $allow = false;

        }

      }

  }

  if (!$allow) {

      print_error("You are using from a <b>banned email address.</b>");

  }

}

 

// function to check the referer for security reasons.

// contributed by some one who's name got lost.. Thanks

// goes out to him any way.

function check_referer($referers) {

  if (count($referers)) {

      $found = false;

      $temp = explode("/",getenv("HTTP_REFERER"));

      $referer = $temp[2];

      for ($x=0; $x < count($referers); $x++) {

        if (eregi ($referers[$x], $referer)) {

            $found = true;

        }

      }

      if (!getenv("HTTP_REFERER"))

        $found = false;

      if (!$found){

        print_error("You are coming from an <b>unauthorized domain.</b>");

        error_log("[FormMail.php] Illegal Referer. (".getenv("HTTP_REFERER").")", 0);

      }

        return $found;

      } else {

        return true; // not a good idea, if empty, it will allow it.

  }

}

if ($referers)

  check_referer($referers);

 

if ($banlist)

  check_banlist($banlist, $email);

 

// parse the form and create the content string which we will send

function parse_form($array) {

  // build reserved keyword array

  $reserved_keys[] = "MAX_FILE_SIZE";

  $reserved_keys[] = "required";

  $reserved_keys[] = "redirect";

  $reserved_keys[] = "email";

  $reserved_keys[] = "require";

  $reserved_keys[] = "path_to_file";

  $reserved_keys[] = "recipient";

  $reserved_keys[] = "subject";

  $reserved_keys[] = "bgcolor";

  $reserved_keys[] = "text_color";

  $reserved_keys[] = "link_color";

  $reserved_keys[] = "vlink_color";

  $reserved_keys[] = "alink_color";

  $reserved_keys[] = "title";

  $reserved_keys[] = "missing_fields_redirect";

  $reserved_keys[] = "env_report";

  if (count($array)) {

      while (list($key, $val) = each($array)) {

        // exclude reserved keywords

        $reserved_violation = 0;

        for ($ri=0; $ri<count($reserved_keys); $ri++) {

            if ($key == $reserved_keys[$ri]) {

              $reserved_violation = 1;

            }

        }

        // prepare content

        if ($reserved_violation != 1) {

            if (is_array($val)) {

              for ($z=0;$zcount($val);$z++) {

                  $content .= "$key: $val[$z]\n";

              }

            } else {

              $content .= "$key: $val\n";

            }

        }

      }

  }

  return $content;

}

 

// mail the content we figure out in the following steps

function mail_it($content, $subject, $email, $recipient, $allowed_email_recipients_array) {

 

 

// INCLUDED TO FIX SPAM GATEWAY EXPLOIT

 

$recipient_array = explode(",", $recipient);

$size_of_recipients_array = count($recipient_array);

$size_of_allowed_recipients_array = count($allowed_email_recipients_array);

for ($recipients_array_count = 0; $recipients_array_count != $size_of_recipients_array; $recipients_array_count++) {

for ($allowed_recipients_array_count = 0; $allowed_recipients_array_count != $size_of_allowed_recipients_array; $allowed_recipients_array_count++) {

  if ( stristr($recipient_array[$recipients_array_count],$allowed_email_recipients_array[$allowed_recipients_array_count]) ) {

  if ($new_recipient == "") {

    $new_recipient = $recipient_array[$recipients_array_count];

  }

  else {

    $new_recipient .= ",";

    $new_recipient .= "$recipient_array[$recipients_array_count]";

  }

  }

}

}

 

$recipient = $new_recipient;

 

 

// INCLUDED TO FIX SPAM GATEWAY EXPLOIT

 

        mail($recipient, $subject, $content, "From: $email\r\nReply-To: $email\r\nX-Mailer: DT_formmail");

}

 

/* take in the body building arguments and build the body tag for page display */

function build_body($title, $bgcolor, $text_color, $link_color, $vlink_color, $alink_color, $style_sheet) {

  if ($style_sheet)

      echo "<LINK rel=STYLESHEET href=\"$style_sheet\" Type=\"text/css\">\n";

  if ($title)

      echo "<title>$title</title>\n";

  if (!$bgcolor)

      $bgcolor = "#FFFFFF";

  if (!$text_color)

      $text_color = "#000000";

  if (!$link_color)

      $link_color = "#0000FF";

  if (!$vlink_color)

      $vlink_color = "#FF0000";

  if (!$alink_color)

      $alink_color = "#000088";

  if ($background)

      $background = "background=\"$background\"";

  echo "<body bgcolor=\"$bgcolor\" text=\"$text_color\" link=\"$link_color\" vlink=\"$vlink_color\" alink=\"$alink_color\" $background>\n\n";

}

 

/* check for a recipient email address and check the validity of it

Thanks to Bradley miller (bradmiller@accesszone.com) for pointing

out the need for multiple recipient checking and providing the code. */

$recipient_in = split(',',$recipient);

for ($i=0;$i<count($recipient_in);$i++) {

  $recipient_to_test = trim($recipient_in[$i]);

  if (!eregi("^[_\.0-9a-z-]+@([0-9a-z][0-9a-z-]+\.)+[a-z]{2,3}$", $recipient_to_test)) {

      print_error("<b>I NEED VALID RECIPIENT EMAIL ADDRESS ($recipient_to_test) TO CONTINUE</b>");

  }

}

 

/* This is because I originally had it require but too many people

were used to Matt's Formmail.pl which used required instead. */

if ($required)

  $require = $required;

// handle the required fields

if ($require) {

  // seperate at the commas

  $require = ereg_replace( " +", "", $require);

  $required = split(",",$require);

  for ($i=0;$i<count($required);$i++) {

      $string = trim($required[$i]);

      // check if they exsist

      if((!(${$string})) || (!(${$string}))) {

        // if the missing_fields_redirect option is on: redirect them

        if ($missing_fields_redirect) {

            header ("Location: $missing_fields_redirect");

            exit;

        }

        $require;

        $missing_field_list .= "<b>Missing: $required[$i]</b><br>\n";

      }

  }

  // send error to our mighty error function

  if ($missing_field_list)

      print_error($missing_field_list,"missing");

}

 

// check the email fields for validity

if (($email) || ($EMAIL)) {

  $email = trim($email);

  if ($EMAIL)

      $email = trim($EMAIL);

  if (!eregi("^[_\.0-9a-z-]+@([0-9a-z][0-9a-z-]+\.)+[a-z]{2,3}$", $email)) {

      print_error("your <b>email address</b> is invalid");

  }

  $EMAIL = $email;

}

 

// check zipcodes for validity

if (($ZIP_CODE) || ($zip_code)) {

  $zip_code = trim($zip_code);

  if ($ZIP_CODE)

      $zip_code = trim($ZIP_CODE);

  if (!ereg("(^[0-9]{5})-([0-9]{4}$)", trim($zip_code)) && (!ereg("^[a-zA-Z][0-9][a-zA-Z][[:space:]][0-9][a-zA-Z][0-9]$", trim($zip_code))) && (!ereg("(^[0-9]{5})", trim($zip_code)))) {

      print_error("your <b>zip/postal code</b> is invalid");

  }

}

 

// check phone for validity

if (($PHONE_NO) || ($phone_no)) {

  $phone_no = trim($phone_no);

  if ($PHONE_NO)

      $phone_no = trim($PHONE_NO);

  if (!ereg("(^(.*)[0-9]{3})(.*)([0-9]{3})(.*)([0-9]{4}$)", $phone_no)) {

      print_error("your <b>phone number</b> is invalid");

  }

}

 

// check phone for validity

if (($FAX_NO) || ($fax_no)) {

  $fax_no = trim($fax_no);

  if ($FAX_NO)

      $fax_no = trim($FAX_NO);

  if (!ereg("(^(.*)[0-9]{3})(.*)([0-9]{3})(.*)([0-9]{4}$)", $fax_no)) {

      print_error("your <b>fax number</b> is invalid");

  }

}

 

// prepare the content

$content = parse_form($HTTP_POST_VARS);

 

// check for a file if there is a file upload it

if ($file_name) {

  if ($file_size > 0) {

      if (!ereg("/$", $path_to_file))

        $path_to_file = $path_to_file."/";

      $location = $path_to_file.$file_name;

      if (file_exists($path_to_file.$file_name))

        $location .= ".new";

      copy($file,$location);

      unlink($file);

      $content .= "Uploaded File: ".$location."\n";

  }

}

 

// second file.

if ($file2_name) {

  if ($file_size > 0) {

      if (!ereg("/$", $path_to_file))

        $path_to_file = $path_to_file."/";

      $location = $path_to_file.$file2_name;

      if (file_exists($path_to_file.$file2_name))

        $location .= ".new";

      copy($file2,$location);

      unlink($file2);

      $content .= "Uploaded File: ".$location."\n";

  }

}

 

// if the env_report option is on: get eviromental variables

if ($env_report) {

  $env_report = ereg_replace( " +", "", $env_report);

  $env_reports = split(",",$env_report);

  $content .= "\n------ eviromental variables ------\n";

  for ($i=0;$i<count($env_reports);$i++) {

      $string = trim($env_reports[$i]);

      if ($env_reports[$i] == "REMOTE_HOST")

        $content .= "REMOTE HOST: ".$REMOTE_HOST."\n";

      else if ($env_reports[$i] == "REMOTE_USER")

        $content .= "REMOTE USER: ". $REMOTE_USER."\n";

      else if ($env_reports[$i] == "REMOTE_ADDR")

        $content .= "REMOTE ADDR: ". $REMOTE_ADDR."\n";

      else if ($env_reports[$i] == "HTTP_USER_AGENT")

        $content .= "BROWSER: ". $HTTP_USER_AGENT."\n";

  }

}

 

// if the subject option is not set: set the default

if (!$subject)

  $subject = "Form submission";

 

// send it off

mail_it(stripslashes($content), stripslashes($subject), $email, $recipient, $allowed_email_recipients_array);

 

// if the redirect option is set: redirect them

if ($redirect) {

  header ("Location: $redirect");

  exit;

} else {

  print "Thank you for your submission\n";

  echo "<br><br>\n";

  echo "<small>This form is powered by <a href=\"http://www.lumbroso.com/scripts/\">Jack's Formmail.php $version!</a></small>\n\n";

  exit;

}

 

// <----------    THE END    ----------> // 

 

?>

 

I created additional comments in bold... some of which are redundant and obvious... but I want this to work for anyone who tries it.

 

I'll go over the steps again in more detail:

  • Copy and paste the script above into a text editor (NotePad strongly recommended. Avoid WordPad and other editors like Word that break long lines of code into several lines.)
  • Read the comments in the first 1/3 of the script and replace all instances of 'yoursite.com' with your actual url
  • I highly recommend that you create a 'Thank you' page that your visitor sees after they submit the form successfully
  • Let's say you name the thank you page "thanks.htm" FTP this page to your public html dir
  • Somewhere near line 50 is a line that reads: $redirect = "http://www.yoursite.com/thanks.php"; Change this to point to the location of your Thankyou page.
  • Save your text file and name it whatever you want but make sure it ends with .php file extension (Example sendit.php)
  • Create a folder on your website (I put the folder in the public html dir... but not necessary)
  • I usually name this folder phpbin... but name it whatever you like
  • FTP this script (sendit.php or whatever.php) to the folder you just created
  • Open up any existing form on your site in a text editor or whatever you use to code html
  • Direct the form to post to this script that you created (Should look something like: <form name="your_form" method="post" action="/phpbin/sendit.php">
  • You do NOT need hidden inputs in your form as you did with FormMail.cgi (recipient, referer, etc... not needed)
  • You can add a hidden input for "required" if you want certain fields required (Ex: <input name="required" type="hidden" id="required" value="email, first_name, phone"> )

I made these directions as detailed as possible, but you'll find that it's a lot quicker to do this than it may appear. It's really quite easy and should work right off the bat after you change just six or seven lines of code. In fact, I could rewrite it for the group so that you only have to change one line of code to have it work for your site.

 

Either way, it's pretty easy to use, so I'm more than happy to help anyone with this... although it appears that there are plenty of people that can help out on this forum.

 

If you're not a coder and PHP is foreign to you, then this script might seem confusing. Just follow the instructions and read the comments in the script (indicated by //) and everything should work for you.

 

One last thing, you can change the $banlist array to contain any emails or urls that you don't want. So if you decide you don't want any hotmail or yahoo emails, you can ban them right in the script. Be aware that this will turn some people off... but sometimes it's worth it... use your best judgement and tell your visitor what email addresses will not work with your form.

 

Hope this helps.

Link to post
Share on other sites
Still can not figure out how to omit empty fields

 

If ($content .== "") ..... don't print the son-of-gun!

 

Be back later (hope somebody figures the empty field thing during my respite).

dsdemmin:

 

Here is the answer to your question.

 

Starting at approximately line 165 you will see this:

 

      // prepare content

        if ($reserved_violation != 1) {

            if (is_array($val)) {

              for ($z=0;$zcount($val);$z++) {

                  $content .= "$key: $val[$z]\n";

              }

            }

else {

              $content .= "$key: $val\n";

            }

        }

      }

  }

  return $content;

}

 

And you can change it to this:

 

      // prepare content

        if ($reserved_violation != 1) {

            if (is_array($val)) {

              for ($z=0;$zcount($val);$z++) {

                  $content .= "$key: $val[$z]\n";

              }

            }

  if($val == "")

  {

  }

  else {

              $content .= "$key: $val\n";

            }

        }

      }

  }

  return $content;

}

 

There are three lines in bold that I added to make your suggestion work.

 

Basically, it tells the server, "If this field was left blank then skip it and move on to the next variable in the loop."

 

I've tested it out on my own site and works fine. Never thought of it before until you mentioned it.

Link to post
Share on other sites

Guys... I only just now realized that I can edit my posts.

 

So my apologies for putting the script up twice... but maybe the extra instructions will help someone.

 

And I edited the previous script posting, thanks to all for the input. I didn't proofread my code as thoroughly as I first thought.

 

Wanted to get it on the boards to help others... but haste makes waste I guess.

Link to post
Share on other sites

Jack,

 

Don't you worry about wasting space here! We all thank you so very much for sticking with this script and our questions about it. You're a gem (get it? kinda shiny, pretty ROCK!)

 

If you would consent, maybe KW could add your code and instructions to the Scripts and Tools section of the help site? KW would you? :lol:

Link to post
Share on other sites

Many thanks for your script surefire! :lol:

I had used sort and print_config fields in my forms. I will have to do some form rewriting as this script (or DodoMail) does not support those fields. :lol:

 

Any word on the FormMail fix from cPanel? Is it good? - I might wait for it a day and save myself a lot of work.

Link to post
Share on other sites

1stover and stoneage:

 

Thanks for the kudos... but my work was slight modifications and helping other members. The original script wasn't mine (even though my name is Jack as is the creator's).

 

Since the script is under GPL license, there shouldn't be any issues with using this script for TCH members are including in cpanel as long as headers remain to give credit where credit due... but that's my guess since I'm not the author.

 

I have since edited my post with the script (second one) for two reasons

1- Change comment section so that it won't cause problems regardless of which text editor used

2- To indicate to TCH members that it is critical that they use a text editor (like NotePad) that allows long lines of code to remain one long line of code... rather than splitting it onto two lines (wrapping)

 

I am fast at work on a script that will help others plug in their site info and get a ready to copy script.

 

I'll post it when done.

 

PS - I am currently helping one member by email. Not sure what the issue is, but working hard to resolve it. Will update this post when we figure out why it's giving this member problems.

 

Most members report that this script is very easy to use per the instructions given. If any clarification is needed, I'll be happy to help any way I can.

Link to post
Share on other sites

I had tried to post an online tool that creates the code with user input so it would be easy...

 

It seems to have a glitch, so I'm editing this post.

 

If you copy and past the script from page two of this post, you should have to problems. :lol:

Edited by surefire
Link to post
Share on other sites

Yipe!

 

I was trying to test this script out and I got:

 

The form was not submitted for the following reasons:

You are coming from an unauthorized domain..

Please use your browser's back button to return to the form and try again.

Link to post
Share on other sites

I sent you two files since you have two separate forms that you wanted contacting two separate emails. It could easily have been accomplished with one file... but that would require PHP modifications that would get a little dicey to put into your website without doing it myself.

 

So do this:

 

Create a folder on your site in your public html folder. Label the folder phpbin (or whatever you want).

 

FTP both of these files to the folder.

 

Now, take the html files with your forms and open them up in the html editor of your choosing. Direct the forms to POST the information to the approprate php files that I sent to you. I named them appropriately so it would be pretty simple to figure out which is which.

 

FTP your HTML files with the forms to your website so the old ones are replaced with the new ones.

 

Voila.

 

You're done.

Link to post
Share on other sites

If I understand you correctly, then you're not using the cgi script that the warning was about. The warning was about security issues with a very popular script called FormMail.pl (or .cgi)

 

If you don't use the script, you don't have to worry about this security issue.

Link to post
Share on other sites

For some reason, I cannot get surefire's script to work. If anyone out there knows of a quick, and easy form mail script- please let me know. I need a quick fix until everything settles down. Thanks!

Link to post
Share on other sites

SGarrett:

 

Sorry, you are having trouble... actually this script is very easy.

 

The form was not submitted for the following reasons:

You are coming from an unauthorized domain.

Please use your browser's back button to return to the form and try again.

 

I know you have been working with Jack so these suggestions may have already been discussed. The above would suggest that your referers is not set correctly.

 

>$referers = array('yoursite.com', 'www.yoursite.com');

 

Make sure the syntax is correct (on the original a ' was missing). Also, if your URL has not propagated yet you will have to enter your IP address instead (or in addition to) your URL.

 

Can you post your site and later tonight I will look at your code and see if I can see anything. I have a feeling it is going to be something very simple.

 

For instance, make sure you are uploading the scripts in asci.

 

I can understand your frustration, forms can be very important.

 

Hang in there.

Edited by dsdemmin
Link to post
Share on other sites

Dsdemmin is abolutely right about the most likely cause of this problem.

 

The script (for security reasons) checks to see where the POSTed information is coming from. If it's coming from the url that is listed in the code (www.your-actual-site-url.com) then it proceeds.

 

If it's from a site not listed, then it assumes it is spam email and stops, gives an error message.

 

Now, if you don't change the line of code reference by Dsdemmin, then you'll get an error.

 

The only other possibility (and I'm not 100% sure about this) is that your site is brand new and the server is reading your IP address but not the url. I have a site that I just started that might be having this issue.

 

I haven't had time to check it yet.

 

Other than that, I can't think of any reason why it wouldn't work. If you are new to programming, even a relatively short script can seem daunting since it doesn't look much like html.

 

If someone can post better instructions than I have in previous posts... be my guest.

 

And there are plenty of PHP scripts out there that can do this. So if you're having trouble with this one... go get a premade one from HotScripts. (Link can be found in one of my previous posts in this thread.)

 

The only reason I made modifications to this code was to improve security and make it easier for me to add multiple forms to my site without adding tons of hidden input variables.

 

You are more than welcome to download the original version and tinker with it. But the support given at that site is pretty lousy.

Link to post
Share on other sites

;) If I rename the Formmail.pl script to a something obscure, such as Boogie3.cgi or processor.cgi, wouldn't that hide the script from these spammers that are looking for Formmail.pl or Formmail.cgi?

Do these people have the ability to see through the diguise?

 

Please don't riducule me if this is a silly suggestion,

 

Ray

Link to post
Share on other sites

Not a silly question at all, but not accurate for the situation. Yes, it would hide the script, but what we are talking about here is the core function of formmail being disabled on the servers. So, even if you rename it, it still calls formmail, true? No help. It's formmail and it's accessibility that is in question and has holes. Doesn't matter what you call your script, that doesn't impact the accessibility of the flaw.

 

:unsure:

Link to post
Share on other sites

Ray_Bman:

 

Not silly at all. That is exactly what one should do if they are running any formmail script. When the patch is added to TCH, I will recommend that to HG.... change the name of the script to something other than formmail (e.g. send_tch_it).

 

The way people are 'finding' scripts to infiltrate are simply searching for 'formmail'.

 

What lianna is saying is that the formmail script supplied by TCH is disabled, so we can not use it at all at this time.

 

By Jack:
The only other possibility (and I'm not 100% sure about this) is that your site is brand new and the server is reading your IP address but not the url. I have a site that I just started that might be having this issue.

This definitely happens, whenever I 'move' a site I add the IP or the script will not work. Until propagation, the IP is the only way to go.

 

IP as in 216.180.243.186 vs. the URL as in www.My_Site.com

Link to post
Share on other sites

It's odd- even when I open up Dreamweaver to look at my 'register.php' file, it automatically shows the same error in the viewing frame. It's as if right off the bat something is incorrect. I am looking for an obvious errors, but in such a small area to modify, I can't find anything.

 

Wait a second- I just tried it, and it worked. Well, I recieved the information in my e-mail, but I still saw that error page when I submitted the form. I wonder if it does that to everyone- or just me. If anyone has a second, I'd very much appreciate a quick test. The url is www.abbainc.biz and then click on "Register", you can just use one letter for all of the fields except the email, you can make that up. If you get redirected, and no errors- then it may just be myself that is experiencing the problem. ;)

Link to post
Share on other sites
Yipe!

 

I was trying to test this script out and I got:

 

The form was not submitted for the following reasons:

You are coming from an unauthorized domain..

Please use your browser's back button to return to the form and try again.

Hi,

 

I was having the same problem. All you need to do is add another referers.. domains/ips that you will allow forms to reside on for your domain but with http://www.

 

Hop it works for you. It works for me now. It is a great program.

 

 

Thanks surefire.

 

 

Lou - The Solutions Guy

Link to post
Share on other sites

;)

I must be confused.

 

Hehe, would you please point out the lines that I need to speficically change? I'm having a second Monday that is worse than the last... Heh. Thanks!

 

Okay- I think I got you now. One second, let me give it a whirl.

Link to post
Share on other sites

If you are receiving the inputs in your email... in other words... if the information you type into the text boxes for your form and coming through in your email, then you're done except for the error message on the redirect.

 

If that's your situation, I'll give you two ways to fix it.

 

One, open up your php file in Dreamweaver (your editor) and make sure that the very first line is

<?php
And I mean there can't be a single blank line. For example... this is bad:
<?php

 

Most php scripts wouldn't care, but this one does because of the way redirects are done... that's all I'll say on why.

 

Remove any extra lines or anything above the <?php and then save the file and ftp it to your site so it overwrites your old file.

 

Then... and this is key, I'd go to your browser tools and delete old files and history so that your browser knows that your php file is new. Or if you get that error message, hit refresh on your browser and see what happens.

 

Two...

Find the line of code in your script that tells the server which page is your redirect page.

 

Add // in front of the line so it effectively turns that line off. It actually makes it a comment and so it isn't run by the server.

 

Then there's no redirect at all, you just get a regulary old thank you page. Only downside is that it doesn't look like your site at all.

 

If you are receiving information from the script in your email... you're close.... very close.

Link to post
Share on other sites

Sgarrett,

What Lou means is that in the referrers array:

$referers = array('your-site.com','www.your-site.com');

 

That you can add more info such as your IP and also your url starting with 'http://'

 

Earlier in this thread I mentioned how new sites at TCH might need to put in their IP address until everything settled down with their url (not a great explanation but I haven't had coffee yet.)

 

All that the code is doing is grabbing the url info of the page your form is on. If it matches one of the values in the referers array, the code proceeds.

 

If not, the security measure stops the code and gives you an error message.

 

The code works... It's just a matter of modifying the details of the code to your site.

 

Not difficult... but certainly frustrating if it doesn't seem to work.

 

Lou, glad the code is working for you and thanks for sharing the info.

Link to post
Share on other sites

;)

Okay... the // infront of the redirect worked. And I know with my luck I should cash in while I'm ahead, -but, I give an important piece of info on my redirect page. Is there any way at all to customize that? Atleast to add a 'Home' link or anything?

Link to post
Share on other sites

Okay... I'll answer your question... but I highly discourage others from using this... just use the redirect.

 

Here's the answer to your question:

// if the redirect option is set: redirect them

if ($redirect) {

header ("Location: $redirect");

exit;

} else {

print "Thank you for your submission\n";

echo "<br><br>\n";

echo "<small>This form is powered by <a href=\"http://www.lumbroso.com/scripts/\">Jack's Formmail.php $version!</a></small>\n\n";

exit;

}

 

Needs to be changed to:

// if the redirect option is set: redirect them

if ($redirect) {

header ("Location: $redirect");

exit;

} else {

?>

(PASTE YOUR HTML CODE HERE... THE ENTIRE PAGE)

<?php

exit;

}

 

Sgarrett,

I stronly recommend that you take a break from this script. I say that from long frustrating nights at the computer with 8,000 line codes looking for a missing { .

 

In a few days, you'll see things that you aren't seeing now and the redirect option will seem like a snap.

 

The "hack" I've given you here is a workable but sloppy way to do it... A good script can be dropped into another website and be up and running with minor alterations.

 

Besides... as frustrating as this might be... you're learning php. (Like it or not)

Link to post
Share on other sites

For complex forms I opted for nms-FormMail. It is a drop-in replacement for original FormMail by Matt.

 

This is why:

- it seems secure enough. Written with security in mind. Used by many ISPs.

- well maintained. Last update less than a month ago.

- it is backward compatible with the original FormMail. It retains all form formatting. This saves a LOT of time.

- good documentation. Both readme and examples docs.

- available in easy and expert (modular package) downloads.

 

For added security I renamed the file from FormMail.pl to piggy.pl - works great.

 

Could this be secure enough for TCH?

Link to post
Share on other sites

Don't know if I'm supposed to post here since I'm a "newbie" but someone can delete this if that's the case.

 

For those who aren't well-versed in html, you can configure this simple form

(which works on TCH, as I tested it). It allows a name and email address,

will mail the results to you and has a redirect. Also you have a choice of round radio button option(s) that will allow your users one selection, square ones that allow more than one selection, as well as a drop down selection and comments field. You can also change the colors where applicable if you want. Obviously these will all need to be customized to suit your needs, so basic html knowledge is necessary. The form is courtesy of response-o-matic.com and you can get your own template by going to their site, or customize the one below, which has their link in the code. (it's free either way) I've highlighted in red the most important changes you need to make, and when you look at the form, you can see where your other changes would need to be made. Put it into notepad or Word and just change the text values to what you need. Here's what it looks like on a page (not customized) http://www.jadedesigns.org/testform.html

All you have to do if you're using a WYSIWYG editor is copy and paste the code into your page. Hope this is explained well enough for the html-challenged (like me! lol)

 

Deb

_______________________________________________________________

 

<!--start code-->

<HTML>

 

<HEAD>

 

<TITLE>Your Page Title Here</TITLE>

 

</HEAD>

 

<BODY BGCOLOR="#FFFFFF">

 

<FORM action="http://www.response-o-matic.com/cgi-bin/rom.pl" method="POST">

 

<H1><CENTER> </CENTER></H1>

 

<H1><CENTER><FONT COLOR="#000000">Thanks for visiting my site!</FONT>

 

</CENTER></H1>

 

<H3><CENTER>

 

<INPUT TYPE="hidden" NAME="your_email_address" VALUE="you@******">

 

<INPUT TYPE="hidden" NAME="your_name" VALUE="Your Name">

 

<INPUT TYPE="hidden" NAME="email_subject_line" VALUE="Subject Line Of Your Email">

 

<INPUT TYPE="hidden" NAME="required_fields" VALUE="your_email_address">

 

<INPUT TYPE="hidden" NAME="thank_you_title" VALUE="Thank you for joining">

 

<INPUT TYPE="hidden" NAME="return_link_url" VALUE="URL of the page you want the form to take your visitors to">

 

<INPUT TYPE="hidden" NAME="return_link_name" VALUE="Home">

 

<INPUT TYPE="hidden" NAME="background_color" VALUE="#FFFFFF">

 

<INPUT TYPE="hidden" NAME="text_color" VALUE="#000000">

 

<INPUT TYPE="hidden" NAME="link_color" VALUE="#0000FF">

 

<INPUT TYPE="hidden" NAME="visited_link_color" VALUE="#8000FF">

 

<INPUT TYPE="hidden" NAME="active_link_color" VALUE="#0000FF">

 

</CENTER></H3>

 

<H3><CENTER>Your comments are appreciated!</CENTER></H3>

 

<P><CENTER>Just complete this form. Click on Submit when ready to

 

send.</CENTER></P>

 

<H4> </H4>

 

<BLOCKQUOTE><P><TABLE BORDER=0 CELLSPACING=0>

 

<TR>

 

<TD WIDTH=116>

 

<H3>Your name:</H3>

 

</TD><TD>

 

<H4><INPUT TYPE="text" NAME="visitor_name" VALUE="" SIZE=50>

 

</H4>

 

</TD></TR>

 

<TR>

 

<TD WIDTH=116>

 

<H3>Email address:</H3>

 

</TD><TD>

 

<H4><INPUT TYPE="text" NAME="visitor_email_address" VALUE=""

 

SIZE=50></H4>

 

</TD></TR>

 

</TABLE></P>

 

<H3>Where do you want to go today?</H3>

 

<P><INPUT TYPE="radio" NAME="Where to?" VALUE="I don't know">I don't

 

know<BR>

 

<INPUT TYPE="radio" NAME="Where to?"

 

VALUE="Disneyland">Disneyland<BR>

 

<INPUT TYPE="radio" NAME="Where to?" VALUE="Bill Gate's house"

 

CHECKED>Bill Gate's house<BR>

 

<INPUT TYPE="radio" NAME="Where to?" VALUE="Back to bed">Back to bed

 

</P>

 

<P> </P>

 

<H3>What kind of movies do you like?</H3>

 

<P><INPUT TYPE="checkbox" NAME="Movies I like"

 

VALUE="Horror">Horror<BR>

 

<INPUT TYPE="checkbox" NAME="Movies I like"

 

VALUE="Science Fiction">Science Fiction<BR>

 

<INPUT TYPE="checkbox" NAME="Movies I like" VALUE="Romance"

 

CHECKED>Romance<BR>

 

<INPUT TYPE="checkbox" NAME="Movies I like" VALUE="Comedy">Comedy

 

</P></BLOCKQUOTE>

 

<P> </P>

 

<BLOCKQUOTE><H3>How many salesmen does it take to change a light

 

bulb?</H3>

 

<P><SELECT NAME="name">

 

<OPTION SELECTED>Who cares?

 

<OPTION>I hate this joke.

 

<OPTION>One

 

<OPTION>Two

 

<OPTION>Three

 

<OPTION>Only one.

 

</SELECT></P></BLOCKQUOTE>

 

<P> </P>

 

<BLOCKQUOTE><H3>Any comments?</H3>

 

<P><TEXTAREA NAME="Comment" ROWS=5 COLS=50></TEXTAREA></P>

 

</BLOCKQUOTE>

 

<H4> </H4>

 

<BLOCKQUOTE><P><INPUT TYPE="submit" NAME="Submit"

 

VALUE="Submit"><INPUT TYPE="reset" VALUE="Reset"></P></BLOCKQUOTE>

 

<P> </P>

 

</FORM>

 

</BODY>

 

</HTML>

<!--end code-->

 

______________________________________________________________

Link to post
Share on other sites

Ok folks.

 

It took abit of time, but we have patched the formail security holes.

 

Formail is now active again on all the servers.

 

Sorry it took a bit of time, we were just waiting on the patch from cPanel. Once we got it we wanted to make sure the darn thing was working.

 

After a bit of testing the patch appears to have worked.

 

So formail is back on.

 

Sorry for the confusion and the removal of formail, however I felt it in the best interest of the client base.

Link to post
Share on other sites

HG:

 

Thanks for your concern... it helps us all.

 

I would still recommend changing the name of the script for added security. Anything accept FormMail....

 

Send_It or even better, Send_TCH_It.

 

Thanks again.

Link to post
Share on other sites
  • 4 weeks later...
I have created the form and the .txt file. I have no cgiecho or cgiemail in my cgi-bin directory.

Same problem as shammer....no cgiecho or cgiemail directories......can anyone answer this?

Link to post
Share on other sites

cgiemail is installed as an alias on all the servers. It is not visible in your directory but you can use it. Here is an example of the html code I called questions.html.

 

<FORM METHOD="POST"

ACTION="http://www.domain.com/cgi-sys/cgiemail/scriptdir/questions3.txt">

 

Your e-mail address: <INPUT NAME="email"><p>

Your name: <INPUT NAME="yourname"><p>

Your question: <INPUT NAME="quest"><p>

Your favourite colour: <INPUT NAME="colour"><p>

<INPUT TYPE="submit" value="Send e-mail">

</FORM>

And here is the questions3.txt file it calls (that would be in a script directory called /scriptdir in your public_html directory:

 

To: username@domain.com

Subject: Questionaire

 

What is your name?              [yourname]

What is your question?             [quest]  

What is your favourite colour?  [colour]

 

Note the blank lines in the txt file.

Link to post
Share on other sites
cgiemail is installed as an alias on all the servers. It is not visible in your directory but you can use it. Here is an example of the html code I called questions.html.

 

<FORM METHOD="POST"

ACTION="http://www.domain.com/cgi-sys/cgiemail/scriptdir/questions3.txt">

 

Your e-mail address: <INPUT NAME="email"><p>

Your name: <INPUT NAME="yourname"><p>

Your question: <INPUT NAME="quest"><p>

Your favourite colour: <INPUT NAME="colour"><p>

<INPUT TYPE="submit" value="Send e-mail">

</FORM>

 

And here is the questions3.txt file it calls (that would be in a script directory called /scriptdir in your public_html directory:

 

To: username@domain.com

Subject: Questionaire

 

What is your name?              [yourname]What is your question?             [quest]  

What is your favourite colour?  [colour]

 

Note the blank lines in the txt file.

:( Thanks rick.....no problem with the questions3.txt, but is this whole part (in bold) an alias??

 

http://www.domain.com/cgi-sys/cgiemail/scriptdir/questions3.txt

 

because all I have under my public_html dir is a cgi-bin dir....??

 

Can I assume that whole dir is an alias an use it as my ACTION....but then how do I add the .txt file to the scriptdir if it is not there? :angry:

Link to post
Share on other sites

The /cgi-sys/cgiemail is the script location. The /scriptdir is where you want to put your .txt file. In my example, you would create a directory called /scriptdir in your public_html folder and then put your .txt files in it. You write the .txt file to match what you want sent to you. If you have your .txt and .html files in your public_html directory you would just omit the /scriptdir completely. Hope that clears it up a little more.

Link to post
Share on other sites

FWIW...I had the same type of questions. After searching various FAQ's and getting help from various people in different forums, here's what I ended up doing. (And it works great!)

 

First, I put the following in my form located in my /public_html directory:

 

action="http://www.yoursite.com/cgi-sys/cgiemail/cgi-bin/eval_templ.txt"

 

Next, I put the text file "eval_templ.txt" in my /cgi-bin, and changed the permissions to 644.

 

I'm not sure it's the best way to do it, but it works fine for me! Hope it helps!

Link to post
Share on other sites
FWIW...I had the same type of questions.  After searching various FAQ's and getting help from various people in different forums, here's what I ended up doing.  (And it works great!)

 

First, I put the following in my form located in my /public_html directory:

 

action="http://www.yoursite.com/cgi-sys/cgiemail/cgi-bin/eval_templ.txt"

 

Next, I put the text file "eval_templ.txt" in my /cgi-bin, and changed the permissions to 644.

 

I'm not sure it's the best way to do it, but it works fine for me!  Hope it helps!

Thumbs Up Thanks folks for all the help....so cgi-sys/cgiemail is an alias under everyone's public_html dir (and you can change the cgiemail to cgiecho to test), and you can put the .txt file wherever, as long as you call it properly in the ACTION.

 

Stevevan, would it be possible to get a copy of your eval_templ.txt to see how it is formatted?

Link to post
Share on other sites
  • 2 months later...

;)

Help!

I'm just not good at this stuff. I took all the steps of the php form posted here but am lost as to how to write where it posts.

Create your form and POST the form to the script you just created

 

thanks.php page

 

I did this, make the thank you page. But the form isn't working, I'm sure I don't know what I"m doing!

Can anyone help out an html dummy like me?

 

Thank you!

Link to post
Share on other sites

Hi Jen

 

Can you give us a link to the page with your forms and tell us which php script you have used?

 

There will be a place within the PHP where you can set where the emails go.

 

Andy

Link to post
Share on other sites

Just spent about two hours, but finally got it to work. The only part of the code that through me was this part:

$redirect = "http://www.mysite.com/thanks.php";

 

I now see it needs to be "thanks.htm", or it wouldn't work.

 

Getting the form to post properly while using Frontpage 2002 (without editing html directly) took some experimenting, but here's how I did it:

 

Under form properties (while your web is open live), check "send to other". Leave "Form name" and "Target frame" blank. Instead, select "options", then enter path to script under "action". In other words, the action field would show something like: phpbin/sendit.php.

 

I also added an index file to the phpbin folder, so people can't browse directly to that folder.

 

Thanks to surefire for some pretty decent directions.

442

Link to post
Share on other sites

OK, now I get. I could have made my thanks page in Frontpage and then saved it as "thanks.php". I didn't realize a browser would recognize that extension - and didn't realize it was interchangeable with the htm extension.

 

I had uploaded a thanks.htm page and didn't understand why it didn't work with thanks.php in the script. But this was my first ever intro to dealing with php.

 

The light in my head is getting brighter.

 

442

Link to post
Share on other sites
I also added an index file to the phpbin folder, so people can't browse directly to that folder.

 

Yep. That's a good idea. The next version will contain an index page.

Link to post
Share on other sites
  • 4 years later...

Not to revive an old dead thread, but now that I'm doing sites again, I couldn't figure out why when testing a form, I couldn't get it to work. After hours of trying different things, researching, I ended up here. I tried the suggestion of the txt file and POSTing to that, but couldn't get it to work for the life of me. Thankfully, the PHP solution worked right out of the box, so to speak. Big thanks. I've more sites to update now, but at least I know they'll work.

 

Thanks guys and gals.

yahoo.gif

 

 

fan1.gif

 

 

good.gif

Link to post
Share on other sites
Not to revive an old dead thread, but now that I'm doing sites again, I couldn't figure out why when testing a form, I couldn't get it to work. After hours of trying different things, researching, I ended up here. I tried the suggestion of the txt file and POSTing to that, but couldn't get it to work for the life of me. Thankfully, the PHP solution worked right out of the box, so to speak. Big thanks. I've more sites to update now, but at least I know they'll work.

 

Thanks guys and gals.

Ok, maybe I spoke too soon. When using it on two sites that are in subdomains under my site for testing purposes, they work great. However, when I installed it for my own site, I keep getting the Server Error page. Any thoughts?

 

 

 

 

Anyone?

 

 

 

 

 

Bueller?

:)

Link to post
Share on other sites

Not to be a jerk but please open a new thread, tell what script you are using and what problem you are having. This thread is over 4 years old and several scripts are being mentioned in here and TCH does not support formmail.cgi or formmail.pl any longer. About 4 years now.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
×
×
  • Create New...