I am writing a homemade Form-To-Email and AutoResponder script that uses SendMail.

The description page, and download section, is available at:
http://www.sparhawkdownloads.com/formmail.shtml

This script doubles as a FormMail program AND an Auto-Responder (look at the page if you don't know what I mean).

Any critiques/bug reports/suggestions would be appreciated.

This script works with forms using "GET", "POST", and even forms with 'enctype="multipart/form-data"' in the form tag, and is one of the most flexible FormMail scripts I've seen.

Sparhawk

Today's Quote: Nothing is foolproof to a sufficiently talented fool.

I hope you don't mind... but I did some tests to check the security of the script... and I think you should add a check for the referrer similar to how FormMail (http://www.scriptarchive.com/formmail.html) does, so that the script can only be accessed from the web site it is installed on. Otherwise you will have people exploiting the script to send any e-mail they want, and people downloading files from your server that they shouldn't be.

Also, in addition to "sendtoemail" you should allow use of "recipient" in forms as well, as most other forms use the recipient form field and people will be more used to it.

Very nice script... I like the fact that it can be used for a feedback form and also a way to e-mail files. Most scripts don't do this so easily.

- Jeff

I hope you don't mind... but I did some tests to check the security of the script... and I think you should add a check for the referrer similar to how FormMail does, so that the script can only be accessed from the web site it is installed on. Otherwise you will have people exploiting the script to send any e-mail they want, and people downloading files from your server that they shouldn't be.

Your suggestion about checking the referer has been implemented effective immediately. Thanks for the suggestion.
Since I do allow one or two other domains (some friends) to have access to the script, it now includes an array of 'allowed' refering domains, and checks the referer against that list.
If someone installs it on their site and only wants their domain to have access to it, all they have to do is remove all the extra domains and add their own.

And now the webmaster has the option of receiving an e-mail with the HTTP_REFERER form location when a form is illegally using the script.

Sparhawk

Well that was fast! I will download the new version and take a look :)

Read through the support section, and it seems like a good program. I will download it and give it a try! I assume it works on powwebs servers since it is on their forum?

Good Job!