Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > HTML > Form query

Reply
Thread Tools

Form query

 
 
KiwiBrian
Guest
Posts: n/a
 
      12-05-2004
The first entry in the Formmail script that I am using is:-

// for ultimate security, use this instead of using the form
$recipient = "(E-Mail Removed)"; // http://www.velocityreviews.com/forums/(E-Mail Removed)

Can someone please explain this entry.
Placing my address in there enables the form to be accepted and sent to me.
Without an address in there the form is rejected at the input stage with an
error response implying that there is no recipient address.
However the use of the word "instead" implies that an email address is
optional here and that there is an alternative that works. What is it?
Is there perhaps an entry missing in the form HTML that could serve as an
alternative.
If I include the line '<input type="hidden" name="recipient" value="and
place my email address here"> the form is rejected.
Any clarification would be appreciated
Brian Tozer


 
Reply With Quote
 
 
 
 
Dan Ruscoe
Guest
Posts: n/a
 
      12-05-2004
In article <covi1j$4mu$(E-Mail Removed)>, KiwiBrian says...
> The first entry in the Formmail script that I am using is:-
>
> // for ultimate security, use this instead of using the form
> $recipient = "(E-Mail Removed)"; // (E-Mail Removed)
>
> Can someone please explain this entry.


This keeps your email address in the script, rather than on the actual
page with the form, so it's hidden from spam bots.

The alternative would be adding something like
<input type="hidden" name="recipient" value="youremailaddy">

--
Dan Ruscoe
 
Reply With Quote
 
 
 
 
Joel Shepherd
Guest
Posts: n/a
 
      12-05-2004
In article <(E-Mail Removed)>,
Dan Ruscoe <(E-Mail Removed)> wrote:

> In article <covi1j$4mu$(E-Mail Removed)>, KiwiBrian says...
> > The first entry in the Formmail script that I am using is:-
> >
> > // for ultimate security, use this instead of using the form
> > $recipient = "(E-Mail Removed)"; // (E-Mail Removed)
> >
> > Can someone please explain this entry.

>
> This keeps your email address in the script, rather than on the actual
> page with the form, so it's hidden from spam bots.


That's the least of the problems.

> The alternative would be adding something like
> <input type="hidden" name="recipient" value="youremailaddy">


Allowing the e-mail form submitter to specify the recipient -- and even
with 'hidden' input, they can -- is opening the door wide to the form
and the web server that handles it being abused by spammers to send spam
to _anyone they want to_, not just you. It is trivial to write a script
that submits such a form over and over again, specifying a different
recipient each time.

Keep your e-mail address in the script. It's not there to save you from
getting spammed: it's there to save your form from being the source of
spam for others.

--
Joel.

http://www.cv6.org/
"May she also say with just pride:
I have done the State some service."
 
Reply With Quote
 
Dan Ruscoe
Guest
Posts: n/a
 
      12-05-2004
In article <(E-Mail Removed)>,
Joel Shepherd says...
> In article <(E-Mail Removed)>,
> Dan Ruscoe <(E-Mail Removed)> wrote:
>
> > In article <covi1j$4mu$(E-Mail Removed)>, KiwiBrian says...
> > > The first entry in the Formmail script that I am using is:-
> > >
> > > // for ultimate security, use this instead of using the form
> > > $recipient = "(E-Mail Removed)"; // (E-Mail Removed)
> > >
> > > Can someone please explain this entry.

> >
> > This keeps your email address in the script, rather than on the actual
> > page with the form, so it's hidden from spam bots.

>
> That's the least of the problems.
>
> > The alternative would be adding something like
> > <input type="hidden" name="recipient" value="youremailaddy">

>
> Allowing the e-mail form submitter to specify the recipient -- and even
> with 'hidden' input, they can -- is opening the door wide to the form
> and the web server that handles it being abused by spammers to send spam
> to _anyone they want to_, not just you.


Correct, and that's why he should specify his address in the script.

Just to make it clear, I identified using the hidden input tag simply
because he asked what the alternative was. I certainly don't recommend
anybody use it.

--
Dan Ruscoe
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to retrieve form field value if form is EncType=multipart/form-dataForm? Li Zhang ASP .Net 4 02-27-2009 01:23 AM
Trying to query the Address table data of AdventureWorks database from Query Analyzer - need help! Learner ASP .Net 1 01-30-2006 08:58 PM
<form>...</form> - how to supress blank space after </form> in IE? rob c Javascript 4 12-30-2005 06:10 PM
Build dynamic sql query for JSTL <sql:query> Anonymous Java 0 10-13-2005 10:01 PM
xpath query query David Gordon XML 2 05-18-2005 03:33 PM



Advertisments