Form selector

Discussion in 'HTML' started by Paul Watt, Apr 28, 2006.

  1. Paul Watt

    Paul Watt Guest

    Hi Guys,
    I'm building a email form in a XHTML Strict page. I want to have a drop down
    selector box with 3 options in it (x,y,z for example). If x is selected I
    want x to be in the subject line of the email. How can I do this? Can it be
    done without Javascript?

    Cheers ans TIA,

    --

    Paul Watt
    http://www.paulwatt.info
     
    Paul Watt, Apr 28, 2006
    #1
    1. Advertising

  2. Fleeing from the madness of the jungle
    Paul Watt <> stumbled into
    news:alt.html,alt.www.webmaster
    and said:

    > Hi Guys,
    > I'm building a email form in a XHTML Strict page. I want to have a drop
    > down
    > selector box with 3 options in it (x,y,z for example). If x is selected I
    > want x to be in the subject line of the email. How can I do this? Can it
    > be
    > done without Javascript?


    yes - the script that processes the form makes all the decisions about
    what data to use.

    --
    William Tasso

    http://williamtasso.com/words/what-is-usenet.asp
     
    William Tasso, Apr 28, 2006
    #2
    1. Advertising

  3. Paul Watt

    Martin Jay Guest

    In message <>, Paul Watt
    <> writes
    >I'm building a email form in a XHTML Strict page. I want to have a drop down
    >selector box with 3 options in it (x,y,z for example). If x is selected I
    >want x to be in the subject line of the email. How can I do this? Can it be
    >done without Javascript?


    Do you want to send the email using a mailto link, such as:

    <a href="mailto:?subject=Email subject"> ?

    Selecting the subject from a drop down menu without using a script isn't
    possible.

    Another thing to bear in mind is that not everyone has a default email
    client set up on the computer they're using, so this sort of link may
    fail. :(
    --
    Martin Jay
     
    Martin Jay, Apr 28, 2006
    #3
  4. Paul Watt

    Paul Watt Guest

    "Martin Jay" <> wrote in message
    news:...
    > In message <>, Paul Watt
    > <> writes
    >>I'm building a email form in a XHTML Strict page. I want to have a drop
    >>down
    >>selector box with 3 options in it (x,y,z for example). If x is selected I
    >>want x to be in the subject line of the email. How can I do this? Can it
    >>be
    >>done without Javascript?

    >
    > Do you want to send the email using a mailto link, such as:
    >
    > <a href="mailto:?subject=Email subject"> ?
    >
    > Selecting the subject from a drop down menu without using a script isn't
    > possible.
    >
    > Another thing to bear in mind is that not everyone has a default email
    > client set up on the computer they're using, so this sort of link may
    > fail. :(


    I wasn't going to use a mailto link, proberbly a cgi or php processor
     
    Paul Watt, Apr 28, 2006
    #4
  5. Paul Watt

    Martin Jay Guest

    In message <>, Paul Watt
    <> writes
    >"Martin Jay" <> wrote in message
    >news:...
    >> In message <>, Paul Watt
    >> <> writes
    >>>I'm building a email form in a XHTML Strict page. I want to have a drop
    >>>down
    >>>selector box with 3 options in it (x,y,z for example). If x is selected I
    >>>want x to be in the subject line of the email. How can I do this? Can it
    >>>be
    >>>done without Javascript?


    >> Do you want to send the email using a mailto link, such as:
    >>
    >> <a href="mailto:?subject=Email subject"> ?
    >>
    >> Selecting the subject from a drop down menu without using a script isn't
    >> possible.
    >>
    >> Another thing to bear in mind is that not everyone has a default email
    >> client set up on the computer they're using, so this sort of link may
    >> fail. :(


    >I wasn't going to use a mailto link, proberbly a cgi or php processor


    Okay, that's good.

    So in your HTML you'll have something like the:

    <select name="subject">
    <option value="Subject 1" SELECTED>Subject 1</option>
    <option value="Subject 2">Subject 2</option>
    <option value="Subject 3">Subject 3</option>
    </select>

    Just POST that off to your PHP script and then use the mail command:

    $subject = $_POST['subject'];

    /* It's probably a good idea to include this so you don't end up with \'
    and \" in the subject */

    $subject = stripslashes($subject);

    mail($to, $subject, $message);
    --
    Martin Jay
     
    Martin Jay, Apr 28, 2006
    #5
  6. Martin Jay wrote:
    > In message <>, Paul Watt
    > <> writes
    >
    >>"Martin Jay" <> wrote in message
    >>news:...
    >>
    >>>In message <>, Paul Watt
    >>><> writes
    >>>
    >>>>I'm building a email form in a XHTML Strict page. I want to have a drop
    >>>>down
    >>>>selector box with 3 options in it (x,y,z for example). If x is selected I
    >>>>want x to be in the subject line of the email. How can I do this? Can it
    >>>>be
    >>>>done without Javascript?

    >
    >
    >>>Do you want to send the email using a mailto link, such as:
    >>>
    >>><a href="mailto:?subject=Email subject"> ?
    >>>
    >>>Selecting the subject from a drop down menu without using a script isn't
    >>>possible.
    >>>
    >>>Another thing to bear in mind is that not everyone has a default email
    >>>client set up on the computer they're using, so this sort of link may
    >>>fail. :(

    >
    >
    >>I wasn't going to use a mailto link, proberbly a cgi or php processor

    >
    >
    > Okay, that's good.
    >
    > So in your HTML you'll have something like the:
    >
    > <select name="subject">
    > <option value="Subject 1" SELECTED>Subject 1</option>
    > <option value="Subject 2">Subject 2</option>
    > <option value="Subject 3">Subject 3</option>
    > </select>
    >
    > Just POST that off to your PHP script and then use the mail command:
    >
    > $subject = $_POST['subject'];
    >
    > /* It's probably a good idea to include this so you don't end up with \'
    > and \" in the subject */
    >
    > $subject = stripslashes($subject);
    >
    > mail($to, $subject, $message);


    Do this and you will be ripe for becoming a spam relay. At a minimum you need to
    ensure there are no newline characters in the input.

    --
    ==================
    Remove the "x" from my email address
    Jerry Stuckle
    JDS Computer Training Corp.

    ==================
     
    Jerry Stuckle, Apr 28, 2006
    #6
  7. Paul Watt

    Martin Jay Guest

    In message <>, Jerry Stuckle
    <> writes
    >Martin Jay wrote:
    >> Okay, that's good.
    >> So in your HTML you'll have something like the:
    >> <select name="subject">
    >> <option value="Subject 1" SELECTED>Subject 1</option>
    >> <option value="Subject 2">Subject 2</option>
    >> <option value="Subject 3">Subject 3</option>
    >> </select>
    >> Just POST that off to your PHP script and then use the mail command:
    >> $subject = $_POST['subject'];
    >> /* It's probably a good idea to include this so you don't end up
    >>with \'
    >> and \" in the subject */
    >> $subject = stripslashes($subject);
    >> mail($to, $subject, $message);


    >Do this and you will be ripe for becoming a spam relay. At a minimum
    >you need to ensure there are no newline characters in the input.


    Please explain why.
    --
    Martin Jay
     
    Martin Jay, Apr 28, 2006
    #7
  8. Martin Jay wrote:
    > In message <>, Jerry Stuckle
    > <> writes
    >
    >> Martin Jay wrote:
    >>
    >>> Okay, that's good.
    >>> So in your HTML you'll have something like the:
    >>> <select name="subject">
    >>> <option value="Subject 1" SELECTED>Subject 1</option>
    >>> <option value="Subject 2">Subject 2</option>
    >>> <option value="Subject 3">Subject 3</option>
    >>> </select>
    >>> Just POST that off to your PHP script and then use the mail command:
    >>> $subject = $_POST['subject'];
    >>> /* It's probably a good idea to include this so you don't end up
    >>> with \'
    >>> and \" in the subject */
    >>> $subject = stripslashes($subject);
    >>> mail($to, $subject, $message);

    >
    >
    >> Do this and you will be ripe for becoming a spam relay. At a minimum
    >> you need to ensure there are no newline characters in the input.

    >
    >
    > Please explain why.



    Google "Email injection" for a lot more info. But basically - the user could
    enter something like:

    This is a spammer subject
    bcc: ,

    And so on. Quit easy to do - and used by a lot of spammers. Unsecured scripts
    are used by a lot of spammers. Try another search on

    spam formmail

    And see what pops up.




    --
    ==================
    Remove the "x" from my email address
    Jerry Stuckle
    JDS Computer Training Corp.

    ==================
     
    Jerry Stuckle, Apr 28, 2006
    #8
  9. Paul Watt

    Martin Jay Guest

    In message <>, Jerry Stuckle
    <> writes
    >Martin Jay wrote:
    >> In message <>, Jerry
    >>Stuckle <> writes
    >>
    >>> Martin Jay wrote:
    >>>
    >>>> Okay, that's good.
    >>>> So in your HTML you'll have something like the:
    >>>> <select name="subject">
    >>>> <option value="Subject 1" SELECTED>Subject 1</option>
    >>>> <option value="Subject 2">Subject 2</option>
    >>>> <option value="Subject 3">Subject 3</option>
    >>>> </select>
    >>>> Just POST that off to your PHP script and then use the mail command:
    >>>> $subject = $_POST['subject'];
    >>>> /* It's probably a good idea to include this so you don't end up
    >>>>with \'
    >>>> and \" in the subject */
    >>>> $subject = stripslashes($subject);
    >>>> mail($to, $subject, $message);


    >>> Do this and you will be ripe for becoming a spam relay. At a minimum
    >>>you need to ensure there are no newline characters in the input.

    >> Please explain why.


    >Google "Email injection" for a lot more info. But basically - the user
    >could enter something like:
    >
    > This is a spammer subject
    > bcc: ,
    >
    >And so on. Quit easy to do - and used by a lot of spammers. Unsecured
    >scripts are used by a lot of spammers. Try another search on
    >
    > spam formmail
    >
    >And see what pops up.


    I (think) I understand the principle, but I cannot replicate it.

    The 'hack' seems to rely on email being routed by the 'to,' 'cc,' and
    'bcc' fields in its header, which is isn't. Well, not until it reaches
    its destination, maybe.

    I emailed Paul an example script earlier. I've also uploaded it to:
    <http://www.spam-free.org.uk/pages/email_test.php>.

    I would be interested to see how the spamming technique you mention can
    be used with it. I have changed the form method from POST to GET to
    make it easier to 'hack.'
    --
    Martin Jay
     
    Martin Jay, Apr 28, 2006
    #9
  10. Martin Jay wrote:
    > In message <>, Jerry Stuckle
    > <> writes
    >
    >> Martin Jay wrote:
    >>
    >>> In message <>, Jerry
    >>> Stuckle <> writes
    >>>
    >>>> Martin Jay wrote:
    >>>>
    >>>>> Okay, that's good.
    >>>>> So in your HTML you'll have something like the:
    >>>>> <select name="subject">
    >>>>> <option value="Subject 1" SELECTED>Subject 1</option>
    >>>>> <option value="Subject 2">Subject 2</option>
    >>>>> <option value="Subject 3">Subject 3</option>
    >>>>> </select>
    >>>>> Just POST that off to your PHP script and then use the mail command:
    >>>>> $subject = $_POST['subject'];
    >>>>> /* It's probably a good idea to include this so you don't end up
    >>>>> with \'
    >>>>> and \" in the subject */
    >>>>> $subject = stripslashes($subject);
    >>>>> mail($to, $subject, $message);

    >
    >
    >>>> Do this and you will be ripe for becoming a spam relay. At a minimum
    >>>> you need to ensure there are no newline characters in the input.
    >>>
    >>> Please explain why.

    >
    >
    >> Google "Email injection" for a lot more info. But basically - the
    >> user could enter something like:
    >>
    >> This is a spammer subject
    >> bcc: ,
    >>
    >> And so on. Quit easy to do - and used by a lot of spammers.
    >> Unsecured scripts are used by a lot of spammers. Try another search on
    >>
    >> spam formmail
    >>
    >> And see what pops up.

    >
    >
    > I (think) I understand the principle, but I cannot replicate it.
    >
    > The 'hack' seems to rely on email being routed by the 'to,' 'cc,' and
    > 'bcc' fields in its header, which is isn't. Well, not until it reaches
    > its destination, maybe.
    >
    > I emailed Paul an example script earlier. I've also uploaded it to:
    > <http://www.spam-free.org.uk/pages/email_test.php>.
    >
    > I would be interested to see how the spamming technique you mention can
    > be used with it. I have changed the form method from POST to GET to
    > make it easier to 'hack.'


    Either way. I just make a local copy of your form, edit it to add the headers I
    want, and post it back to you. For instance, I place in the subject field:

    This is spam
    bcc:

    And off it goes. The more fields I add, the more I'm sending.

    Not hard at all.


    --
    ==================
    Remove the "x" from my email address
    Jerry Stuckle
    JDS Computer Training Corp.

    ==================
     
    Jerry Stuckle, Apr 29, 2006
    #10
  11. Paul Watt

    Martin Jay Guest

    In message <>, Jerry Stuckle
    <> writes
    >Martin Jay wrote:
    >> I (think) I understand the principle, but I cannot replicate it.
    >> The 'hack' seems to rely on email being routed by the 'to,' 'cc,'
    >>and 'bcc' fields in its header, which is isn't. Well, not until it
    >>reaches its destination, maybe.


    >> I emailed Paul an example script earlier. I've also uploaded it to:
    >><http://www.spam-free.org.uk/pages/email_test.php>.


    >> I would be interested to see how the spamming technique you mention
    >>can be used with it. I have changed the form method from POST to GET
    >>to make it easier to 'hack.'


    >Either way. I just make a local copy of your form, edit it to add the
    >headers I want, and post it back to you. For instance, I place in the
    >subject field:
    >
    > This is spam
    > bcc:
    >
    >And off it goes. The more fields I add, the more I'm sending.
    >
    >Not hard at all.


    Hmmm...

    I've replaced the page I mentioned earlier with one that allows you to
    download a copy of the form script.

    Put it on your local server and try your theory out.

    I cannot replicate the problem you highlighted. :(
    --
    Martin Jay
     
    Martin Jay, Apr 29, 2006
    #11
  12. Paul Watt

    Martin Jay Guest

    In message <>, Martin Jay
    <> writes
    >The 'hack' seems to rely on email being routed by the 'to,' 'cc,' and
    >'bcc' fields in its header, which is isn't. Well, not until it reaches
    >its destination, maybe.


    This is incorrect. Email *IS* sent to email addresses listed in the
    'to,' 'cc,' and 'bcc' fields of the header.
    --
    Martin Jay
     
    Martin Jay, Apr 29, 2006
    #12
  13. Paul Watt

    Toby Inkster Guest

    Jerry Stuckle wrote:

    > Do this and you will be ripe for becoming a spam relay. At a minimum you
    > need to ensure there are no newline characters in the input.


    It's more the fourth parameter where you're likely to run into trouble. Of
    course it doesn't hurt to treat the subject line with a bit of suspicion
    too.

    --
    Toby A Inkster BSc (Hons) ARCS
    Contact Me ~ http://tobyinkster.co.uk/contact
    Now Playing ~ ./who/baba_oriley.ogg
     
    Toby Inkster, Apr 29, 2006
    #13
  14. Martin Jay wrote:
    > In message <>, Jerry Stuckle
    > <> writes
    >
    >> Martin Jay wrote:
    >>
    >>> I (think) I understand the principle, but I cannot replicate it.
    >>> The 'hack' seems to rely on email being routed by the 'to,' 'cc,'
    >>> and 'bcc' fields in its header, which is isn't. Well, not until it
    >>> reaches its destination, maybe.

    >
    >
    >>> I emailed Paul an example script earlier. I've also uploaded it to:
    >>> <http://www.spam-free.org.uk/pages/email_test.php>.

    >
    >
    >>> I would be interested to see how the spamming technique you mention
    >>> can be used with it. I have changed the form method from POST to
    >>> GET to make it easier to 'hack.'

    >
    >
    >> Either way. I just make a local copy of your form, edit it to add the
    >> headers I want, and post it back to you. For instance, I place in the
    >> subject field:
    >>
    >> This is spam
    >> bcc:
    >>
    >> And off it goes. The more fields I add, the more I'm sending.
    >>
    >> Not hard at all.

    >
    >
    > Hmmm...
    >
    > I've replaced the page I mentioned earlier with one that allows you to
    > download a copy of the form script.
    >
    > Put it on your local server and try your theory out.
    >
    > I cannot replicate the problem you highlighted. :(


    Martin,

    Sorry, I have too many other things to do than to download scripts and test them
    on my server. I gave you the references and some suggestions. I really don't
    wish to spend the time "proving to you I'm right".



    --
    ==================
    Remove the "x" from my email address
    Jerry Stuckle
    JDS Computer Training Corp.

    ==================
     
    Jerry Stuckle, Apr 29, 2006
    #14
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    6
    Views:
    4,467
    Douglas Sykora
    Feb 11, 2005
  2. Chris

    Color selector

    Chris, Dec 10, 2003, in forum: ASP .Net
    Replies:
    1
    Views:
    351
    Jose L Rodriguez
    Dec 10, 2003
  3. Brian Henry
    Replies:
    2
    Views:
    649
    Steven Cheng[MSFT]
    Jul 22, 2004
  4. Brian Henry
    Replies:
    3
    Views:
    6,149
  5. Johnny Holland

    Person Selector Control

    Johnny Holland, Mar 30, 2005, in forum: ASP .Net
    Replies:
    0
    Views:
    396
    Johnny Holland
    Mar 30, 2005
Loading...

Share This Page