Search:

Summary | Source files | Configuration | Examples | References

EMAILFORM

The EMAILFORM script, written in PHP, generates XHTML code for a form delivering simple messages as emails. In addition to merely sending email messages, the script also performs certain checks to determine whether the message is to be considered as spam or not, and in the footer of the sent emails, a link for looking up the sender's IP address is provided. The EMAILFORM script forms the server-side engine for the messaging form which may be found at jonsson.eu.

Summary of the script

The parameters supplied via the fields of the form are posted by the script to itself, in the second run performing tasks as spam checking etc., hence providing a self-consistent and simple way of handling checking of user input and guidance messages. The script employs either an intrinsic sendmail functionality, such as in Apache servers shipped natively with Apple's OS X, or the SMTP mail instance of the PEAR [1] extension of PHP. Currently, the EMAILFORM script supports dynamic switching between two languages: English (default) and Swedish. In order to provide headers, labels or help messages in other languages, a few easily identifiable strings in the code need to be translated into the desired language.

In addition to merely sending email messages, the script also performs checks to determine whether the message is to be considered as spam or not, and in the footer of the sent emails, a link for looking up the sender's IP address in the RIPE.net whois server is provided. Typically, this feature is useful for identifying addresses behind malicious intrusion or spam attempts.

Before sending any message, the EMAILFORM script constructs a simple test form which the user needs to pass, in order to separate real user from web crawlers and robots. This way the spam is considerably reduced, if not to say entirely eliminated.

The (X)HTML code generated by the EMAILFORM script conforms to the XHTML 1.0 Strict specification. According to the XHTML 1.0 Strict document type definition (DTD) no <input> elements are allowed as direct descendants within <form> block, for some strange reason. Therefore, any <input> block is here wrapped up within a <p> (paragraph) block, in spite of that some of the <input> being hidden. The wrapping within <p> blocks is here a bit odd, as the <input> blocks clearly have a place within <form>, while the <input> blocks hardly could be considered as paragraphs. The only reason for this rather strange construction, as far as I have found it, is to make the code pass the XHTML 1.0 Strict validation, which it clearly does.

Current revision

Revision 1.23, as of 23/06/2009. Copyright © Fredrik Jonsson 2006-2009, under GPL

Source files

emailform.php [61 kB] The entire PHP code for the EMAILFORM script, containing all necessary routines in one single file.
[ download | view source ]

Settings

In the emailform($lang) function, there are a few settings which need to be modified in order to configure EMAILFORM to operate properly on your particular web server. These parameters determine the way EMAILFORM reponds to user input and how it delivers the messages.

First of all, define which fields to display at all. Any of these boolean switches which take the value false will prohibit the respective field to be displayed. As for my personal opinion, I think that the "Subject" field is rather silly, but some users may consider it useful anyway, since it is a quite revealing indicator of any spam that may have slipped through the check.

$DO_DISPLAY_SENDERS_NAME_FIELD

A Boolean parameter that determines whether to display the "Your name:" field or not. Recommended setting: true.

$DO_DISPLAY_SENDERS_EMAIL_FIELD

A Boolean parameter that determines whether to display the "Your email:" field or not. Recommended setting: true.

$DO_DISPLAY_SUBJECT_FIELD

A Boolean parameter that determines whether to display the "Subject:" field or not. Recommended setting: false. (The subject is rather clear anyway in the usually short messages delivered via web forms.)

Next, the following parameters determine the required fields of the form, to which additional checks will be applied before any email is sent. In other words, these parameters determine which of the fields that will be considered as essential information to allow the message to be delivered. Again, my personal opinion is that the senders email address always should be required, but that empty name fields or empty message bodies should be allowed. Each field can be individually enabled or disabled as required.

Notice: Any field that has been disabled for display, by any of the above set parameters, will be unaffected by the corresponding "*_*_REQUIRED"-switches below, as the "required-field"-check is applied only to those fields which actually are displayed - neat and simple.

$SENDER_NAME_REQUIRED

A Boolean parameter that determines whether anyone using the email form should be required to supply his/her name in the assigned field. Recommended setting: false.

$SENDER_EMAIL_REQUIRED

A Boolean parameter that determines whether anyone using the email form should be required to supply his/her email address (return address) in the assigned field. Recommended setting: true.

$SUBJECT_REQUIRED

A Boolean parameter that determines whether anyone using the email form should be required to supply a subject for the message in the assigned field. Recommended setting: false.

$MESSAGE_REQUIRED

A Boolean parameter that determines whether anyone using the email form should be required to supply a non-empty message in the assigned field. Recommended setting: false.

$RECIPIENT

The email address of recipient to which the messages are to be sent. Typically this string is of the form "My Name <me@mydomain.com>". Otherwise, just a plain email address of the form "me@mydomain.com" will do fine. Usually, the recipient address is the one you check as your regular address. Notice that this address is "safe" in the sense that it will never be displayed or revealed to the outside world, as it always is hidden by the PHP server. (This is, of course, one of the major reasons why one would like to have an email form in the first place, rather than an explicitly displayed email address which immediately will be taken hostage by spam robots visiting the page.) See further parameters below configuring the delivering agent.

$NOTIFY_ON_SPAM_ATTEMPTS

The boolean $NOTIFY_ON_SPAM_ATTEMPTS switch determines whether EMAILFORM should inform the mail recipient (as set by the previous $RECIPIENT parameter) or not, on that a spam attempt has been detected. Set $NOTIFY_ON_SPAM_ATTEMPTS to 'true' to notify the recipient on spam attempts. The default value for this parameter is "false", as I personally do not care how many attempts per day that were caught. However, notice that regardless of whether the recipient is informed or not, the person or agent sending the spam will never be notified on that the mail has been detected as spam. From his/her/its own perspective, all will just look as if the message has been delivered. The useful thing with this behaviour of the EMAILFORM script is that selective evolution then never reaches the spam deliverers, as no feedback on success or failure will be supplied.

$PASSCODE_SEED

As a final check before submitting any email, the EMAILFORM script will generate (X)HTML code for a simple addition test to be passed by the user. This test will automatically construct the two terms to be added from the $PASSCODE_SEED, being a number which may be chosen arbitrarily.

$USE_PEAR_SMTP_SENDMAIL

The boolean $USE_PEAR_SMTP_SENDMAIL switch determines whether to use the PEAR::Mail SMTP agent for delivering mail or not. If set to "false", the EMAILFORM script will assume that a local sendmail agent has been properly set up instead. My recommendation is to use PEAR::Mail whenever possible.

If $USE_PEAR_SMTP_SENDMAIL is set to 'true', then we also need to set the following parameters, to be supplied to the PEAR mail agent. (In case you wonder about how the PEAR mail agent delivers email, or if you simply wish to download the latest PEAR::Mail agent, please visit the PEAR repository at http://pear.php.net/package/Mail.) Otherwise, if simply using a native sendmail agent, the following parameters can be safely ignored.

$PEAR_SMTP_SENDMAIL_HOST

The host to use when sending SMTP email. This is typically a server of the form "mail.some.server.com"

$PEAR_SMTP_SENDMAIL_AUTHENTICATION

A Boolean parameter, which if set to 'true' will provide a user ID and password to the SMTP agent when sending the email (as required by some Internet Service Providers).

$PEAR_SMTP_SENDMAIL_USERNAME

The user name (ID) to use when authenticating the send request at the SMTP agent.

$PEAR_SMTP_SENDMAIL_PASSWORD

The password to use when authenticating the send request at the SMTP agent.

Finally, a setup which you (unfortunately) most likely will have to modify over time is how EMAILFORM should be triggered on spam attempts. For this purpose, there are two arrays of strings which contain words which should cause a message to be considered as spam if any specific words appear in the message text (determined by the array $SPAM_TRIGGERS_IN_MESSAGE) and in the address of the sender (determined by the array $SPAM_TRIGGERS_IN_ADDRESS).

IMPORTANT NOTICE: By disabling the requirement on the email address to be specified (that is to say, with $required["email"]=false;), any check on the correctness or validity of the email field is also disabled. This leaves the field open for malicious attempts of mail spamming by the well-known "CC: " injection approach in the text supplied in the email field, which could be exploited for unsolicited en-masse email submissions. Hence it is STRONGLY RECOMMENDED that you below keep $required["email"]=true, just to be on the safe side. When using PEAR::Mail as the email agent in the EMAILFORM script, a check will indeed always be performed for any malicious attempts of "CC: " or "BCC: " injection, but I give no warranty that all possible security holes are covered.

See, for example, http://www.w3schools.com/php/php_secure_mail.asp for a more detailed explanation of this particular security hole.

Example of usage

In order to invoke EMAILFORM for the generation of an email form (provided that the proper settings have been included in emailform.php, simply add the following block to a (X)HTML-generating PHP page:

    <?php include "emailform.php"; emailform("en"); ?>

The user-end interface to the routines included in the group of scripts of the EMAILFORM is the function emailform ($lang), listed at the very end of emailform.php. The $lang parameter input to this function specifies which language to use for headers, help messages etc. Currently only two choices are valid: $lang="en" (English) or $lang="sv" (Swedish).

Following the above specifications on how to configure EMAILFORM, an example configuration, as appearing in the beginning of the emailform.php file, might be something like:



$DO_DISPLAY_SENDERS_NAME_FIELD=true;  // Display "Your name:" field
$DO_DISPLAY_SENDERS_EMAIL_FIELD=true; // Display "Your email:" field
$DO_DISPLAY_SUBJECT_FIELD=false;      // Don't display "Subject:" field

$SENDER_NAME_REQUIRED=false;    // Sender name is not required
$SENDER_EMAIL_REQUIRED=true;    // Sender email address is required
$SUBJECT_REQUIRED=false;        // Ignored, as "Subject:" not displayed
$MESSAGE_REQUIRED=false;        // Empty message bodies will be allowed

$RECIPIENT="Your Name <me@mydomain.com>"; // Address of recipient
$NOTIFY_ON_SPAM_ATTEMPTS=false; // Do not notify on spam attempts
$USE_PEAR_SMTP_SENDMAIL=true;   // Yes, we are using PEAR::Mail agent

//
// As $USE_PEAR_SMTP_SENDMAIL is set to 'true' above, we also need to
// set the following parameters, to be supplied to the PEAR mail agent.
//
$PEAR_SMTP_SENDMAIL_HOST="mail.your.mail.server.com";
$PEAR_SMTP_SENDMAIL_AUTHENTICATION=true;
$PEAR_SMTP_SENDMAIL_USERNAME="visitor@yourdomain.com";
$PEAR_SMTP_SENDMAIL_PASSWORD="password_goes_here";

//
// Define the seed to be used in generation of the passcode verification of
// the user.
//
$PASSCODE_SEED=1912;


References

[1] The PEAR extension repository is available at http://pear.php.net/

Return to previous page

Leave a message

Your name:

Your email: (required)

Message:

Generated by ::emailform::

Last modified Tuesday 15 Dec 2009