Form selector

P

Paul Watt

Hi Guys,
I'm building a email form in a XHTML Strict page. I want to have a drop down
selector box with 3 options in it (x,y,z for example). If x is selected I
want x to be in the subject line of the email. How can I do this? Can it be
done without Javascript?

Cheers ans TIA,
 
W

William Tasso

Fleeing from the madness of the jungle
Paul Watt <[email protected]> stumbled into
news:alt.html,alt.www.webmaster
and said:
Hi Guys,
I'm building a email form in a XHTML Strict page. I want to have a drop
down
selector box with 3 options in it (x,y,z for example). If x is selected I
want x to be in the subject line of the email. How can I do this? Can it
be
done without Javascript?
Click to expand...

yes - the script that processes the form makes all the decisions about
what data to use.
 
M

Martin Jay

Paul Watt said:
I'm building a email form in a XHTML Strict page. I want to have a drop down
selector box with 3 options in it (x,y,z for example). If x is selected I
want x to be in the subject line of the email. How can I do this? Can it be
done without Javascript?
Click to expand...

Do you want to send the email using a mailto link, such as:

<a href="mailto:[email protected]?subject=Email subject"> ?

Selecting the subject from a drop down menu without using a script isn't
possible.

Another thing to bear in mind is that not everyone has a default email
client set up on the computer they're using, so this sort of link may
fail. :(
 
P

Paul Watt

Martin Jay said:
Do you want to send the email using a mailto link, such as:

<a href="mailto:[email protected]?subject=Email subject"> ?

Selecting the subject from a drop down menu without using a script isn't
possible.

Another thing to bear in mind is that not everyone has a default email
client set up on the computer they're using, so this sort of link may
fail. :(
Click to expand...

I wasn't going to use a mailto link, proberbly a cgi or php processor
 
M

Martin Jay

I wasn't going to use a mailto link, proberbly a cgi or php processor
Click to expand...

Okay, that's good.

So in your HTML you'll have something like the:

<select name="subject">
<option value="Subject 1" SELECTED>Subject 1</option>
<option value="Subject 2">Subject 2</option>
<option value="Subject 3">Subject 3</option>
</select>

Just POST that off to your PHP script and then use the mail command:

$subject = $_POST['subject'];

/* It's probably a good idea to include this so you don't end up with \'
and \" in the subject */

$subject = stripslashes($subject);

mail($to, $subject, $message);
 
J

Jerry Stuckle

Martin said:
Paul Watt said:
I wasn't going to use a mailto link, proberbly a cgi or php processor
Click to expand...


Okay, that's good.

So in your HTML you'll have something like the:

<select name="subject">
<option value="Subject 1" SELECTED>Subject 1</option>
<option value="Subject 2">Subject 2</option>
<option value="Subject 3">Subject 3</option>
</select>

Just POST that off to your PHP script and then use the mail command:

$subject = $_POST['subject'];

/* It's probably a good idea to include this so you don't end up with \'
and \" in the subject */

$subject = stripslashes($subject);

mail($to, $subject, $message);
Click to expand...

Do this and you will be ripe for becoming a spam relay. At a minimum you need to
ensure there are no newline characters in the input.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
(e-mail address removed)
==================
 
M

Martin Jay

Jerry Stuckle said:
Martin said:
Okay, that's good.
So in your HTML you'll have something like the:
<select name="subject">
<option value="Subject 1" SELECTED>Subject 1</option>
<option value="Subject 2">Subject 2</option>
<option value="Subject 3">Subject 3</option>
</select>
Just POST that off to your PHP script and then use the mail command:
$subject = $_POST['subject'];
/* It's probably a good idea to include this so you don't end up
with \'
and \" in the subject */
$subject = stripslashes($subject);
mail($to, $subject, $message);
Click to expand...
Click to expand...
Do this and you will be ripe for becoming a spam relay. At a minimum
you need to ensure there are no newline characters in the input.
Click to expand...

Please explain why.
 
J

Jerry Stuckle

Martin said:
Jerry Stuckle said:
Martin said:
Okay, that's good.
So in your HTML you'll have something like the:
<select name="subject">
<option value="Subject 1" SELECTED>Subject 1</option>
<option value="Subject 2">Subject 2</option>
<option value="Subject 3">Subject 3</option>
</select>
Just POST that off to your PHP script and then use the mail command:
$subject = $_POST['subject'];
/* It's probably a good idea to include this so you don't end up
with \'
and \" in the subject */
$subject = stripslashes($subject);
mail($to, $subject, $message);
Click to expand...

Do this and you will be ripe for becoming a spam relay. At a minimum
you need to ensure there are no newline characters in the input.
Click to expand...


Please explain why.
Click to expand...


Google "Email injection" for a lot more info. But basically - the user could
enter something like:

This is a spammer subject
bcc: (e-mail address removed), (e-mail address removed)

And so on. Quit easy to do - and used by a lot of spammers. Unsecured scripts
are used by a lot of spammers. Try another search on

spam formmail

And see what pops up.




--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
(e-mail address removed)
==================
 
M

Martin Jay

Jerry Stuckle said:
Martin said:
Jerry said:
Martin Jay wrote:

Okay, that's good.
So in your HTML you'll have something like the:
<select name="subject">
<option value="Subject 1" SELECTED>Subject 1</option>
<option value="Subject 2">Subject 2</option>
<option value="Subject 3">Subject 3</option>
</select>
Just POST that off to your PHP script and then use the mail command:
$subject = $_POST['subject'];
/* It's probably a good idea to include this so you don't end up
with \'
and \" in the subject */
$subject = stripslashes($subject);
mail($to, $subject, $message);
Do this and you will be ripe for becoming a spam relay. At a minimum
you need to ensure there are no newline characters in the input.
Click to expand...
Please explain why.
Click to expand...
Click to expand...
Google "Email injection" for a lot more info. But basically - the user
could enter something like:

This is a spammer subject
bcc: (e-mail address removed), (e-mail address removed)

And so on. Quit easy to do - and used by a lot of spammers. Unsecured
scripts are used by a lot of spammers. Try another search on

spam formmail

And see what pops up.
Click to expand...

I (think) I understand the principle, but I cannot replicate it.

The 'hack' seems to rely on email being routed by the 'to,' 'cc,' and
'bcc' fields in its header, which is isn't. Well, not until it reaches
its destination, maybe.

I emailed Paul an example script earlier. I've also uploaded it to:
<http://www.spam-free.org.uk/pages/email_test.php>.

I would be interested to see how the spamming technique you mention can
be used with it. I have changed the form method from POST to GET to
make it easier to 'hack.'
 
J

Jerry Stuckle

Martin said:
Jerry Stuckle said:
Martin said:
In message <[email protected]>, Jerry

Martin Jay wrote:

Okay, that's good.
So in your HTML you'll have something like the:
<select name="subject">
<option value="Subject 1" SELECTED>Subject 1</option>
<option value="Subject 2">Subject 2</option>
<option value="Subject 3">Subject 3</option>
</select>
Just POST that off to your PHP script and then use the mail command:
$subject = $_POST['subject'];
/* It's probably a good idea to include this so you don't end up
with \'
and \" in the subject */
$subject = stripslashes($subject);
mail($to, $subject, $message);
Click to expand...
Do this and you will be ripe for becoming a spam relay. At a minimum
you need to ensure there are no newline characters in the input.

Please explain why.
Click to expand...

Google "Email injection" for a lot more info. But basically - the
user could enter something like:

This is a spammer subject
bcc: (e-mail address removed), (e-mail address removed)

And so on. Quit easy to do - and used by a lot of spammers.
Unsecured scripts are used by a lot of spammers. Try another search on

spam formmail

And see what pops up.
Click to expand...


I (think) I understand the principle, but I cannot replicate it.

The 'hack' seems to rely on email being routed by the 'to,' 'cc,' and
'bcc' fields in its header, which is isn't. Well, not until it reaches
its destination, maybe.

I emailed Paul an example script earlier. I've also uploaded it to:
<http://www.spam-free.org.uk/pages/email_test.php>.

I would be interested to see how the spamming technique you mention can
be used with it. I have changed the form method from POST to GET to
make it easier to 'hack.'
Click to expand...

Either way. I just make a local copy of your form, edit it to add the headers I
want, and post it back to you. For instance, I place in the subject field:

This is spam
bcc: (e-mail address removed)

And off it goes. The more fields I add, the more I'm sending.

Not hard at all.


--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
(e-mail address removed)
==================
 
M

Martin Jay

Either way. I just make a local copy of your form, edit it to add the
headers I want, and post it back to you. For instance, I place in the
subject field:

This is spam
bcc: (e-mail address removed)

And off it goes. The more fields I add, the more I'm sending.

Not hard at all.
Click to expand...

Hmmm...

I've replaced the page I mentioned earlier with one that allows you to
download a copy of the form script.

Put it on your local server and try your theory out.

I cannot replicate the problem you highlighted. :(
 
M

Martin Jay

Martin Jay said:
The 'hack' seems to rely on email being routed by the 'to,' 'cc,' and
'bcc' fields in its header, which is isn't. Well, not until it reaches
its destination, maybe.
Click to expand...

This is incorrect. Email *IS* sent to email addresses listed in the
'to,' 'cc,' and 'bcc' fields of the header.
 
T

Toby Inkster

Jerry said:
Do this and you will be ripe for becoming a spam relay. At a minimum you
need to ensure there are no newline characters in the input.
Click to expand...

It's more the fourth parameter where you're likely to run into trouble. Of
course it doesn't hurt to treat the subject line with a bit of suspicion
too.
 
J

Jerry Stuckle

Martin said:
Hmmm...

I've replaced the page I mentioned earlier with one that allows you to
download a copy of the form script.

Put it on your local server and try your theory out.

I cannot replicate the problem you highlighted. :(
Click to expand...

Martin,

Sorry, I have too many other things to do than to download scripts and test them
on my server. I gave you the references and some suggestions. I really don't
wish to spend the time "proving to you I'm right".



--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
(e-mail address removed)
==================
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Mutability issue 1
Why is this WordPress comments form not submitting? 1
Trouble creating multi dimensional array. 0 to 26 in 3 dimensions. 1
What is the most astounding C++ syntax construct? 0
RSS Feed selector 0
My Status, Ciphertext 2
Need Help, Both submit button works same, i need both submit button works differently, the one button override other button 3
How to position the *tooltip* comment on these buttons? 9

Members online

No members online now.
Total: 27 (members: 1, guests: 26)
Robots: 126

Forum statistics

Threads
473,754
Messages
2,569,528
Members
45,000
Latest member
MurrayKeync

Latest Threads

Top