Try taking out the

<input type="hidden" name="recipient" value="youremail@example.com">

and replacing it with:

<select name="recipient" size="1">
<option value="bill@example.com" selected>Bill</option>
<option value="sally@example.com">Sally</option>
<option value="john@example.com">John</option>
<option value="sue@example.com">Sue</option>
<option value="andy@example.com">Andy</option>
</select>

Note that this does still leave your e-mail addresses exposed to spam bots. See if your mail script will let you hide the addresses on the page and only have them in the code. The page would then look something like:

<select name="recipient" size="1">
<option value="1" selected>Bill</option>
<option value="2">Sue</option>
<option value="3">Sally</option>
<option value="4">John</option>
<option value="5">Andy</option>
</select>

Then if someone sent mail to Bill, the script would know that option 1 was really bill@example.com

Excellent, I understand what you mean. I will give this a try and then post back with me results. Thanks for you help. DL

If you have any control over the mail addresses, try setting up an address that will forward to the multiple recipients. This can be done with fowarders to filters. I have a filter that says "Whenever mail comes to ExecutiveBoard@myclub.com send this email to bill@myclub.com, tom@myclub.com, and james@myclub.com". That way you can still send to one email address from the form but it will be delivered into three (or more) boxes.

WARNING
If your mail script allows you to specify recipients in the form, it may be open to abuse by spammers (unless recipients are restricted to a single domain).

Kaled.

Thanks again, everyone! It worked like a charm.

Now, the customer just through me a curve ball and asked for custom made buttons on the mail form. So, I came up with some buttons in PhotoShop that they would like to use. The only problem is that how in the world do I add them to the form and make them work correctly? I'm sure it has some to do with adding an image source to the submit button tag but everything I've tried hasn't worked. Any ideas? I can't wait for my programmer to get back from vacation! DL

Replace
<input type="submit" value="Submit Comments">
with
<input type="image" src="yourimage url" width="yourimagewidth" height="yourimageheight">

Again, it worked like a charm. Many many thanks to you all! Great forums:) DL

Thanks to you all, I found this post extremely helpful.

I'm kind of a newbie at this.

How would I modify the above code to allow the identical form generated e-mail to be sent to multiple recipients selected by checkboxes. Could you also touch on this implementation with spambot protection?

Thanks,

Jerry Kornbluth

Short answer: Per kaled's comment - there is no way to avoid spam bots from picking up the addresses, really, not without editing the backend script. (You can do some things with Javascript, but it's still not solid for the truly motivated.)

Longer answer: This form is posted to

<form action="http://www.example.com/cgi-bin/public_mail.pl" method="post">

So in public_mail.pl you would have to make some changes. The exact details are beyond the scope of this thread (because we don't have the code,) but it would be something like this:

1. Instead of having email addresses on the page, you would establish a key-value, beginning at the form, and REMOVE THE EMAIL ADDRESSES:

<input type="checkbox" name="mailto1" value="1"> John Doe
<input type="checkbox" name="mailto2" value="2"> Mary Doe

2. Then in the .pl script you would have an association wih those values: ie., 1=johnnyd@example.com, 2=maryd@example.com, etc. This could easily be done by having an array list - since arrays are zero-based (first item in list is in position 0, second item position 1, etc.,) the first index is the perfect place for the DEFAULT email.

@valid_emails=('generalinfo@example.com','johnnyd@example.com','maryd@example.com');

3. In the perl script, cycle through this list and send the mails only if the form data for that email is defined. If the box is NOT checked, in perl for the web it's not DEFINED:

for $i (0..$#valid_emails) {
# this creates "mailto1, "mailto2", etc. - our named checkboxes
$form_object = 'mailto' . $i;
if (($i == 0) ¦¦ ($form_data{$form_object})) {
&send_email($valid_emails[$i]);
}
}

Don't want an address that all emails go to? Begin at 1:
for $i (1..$#valid_emails) { ....

Additionally, this method could be applied to the original example with a drop-down list or even a multiple-select box.

That is one small step toward security that removes the email addresses from the page. But it would require a working knowledge of perl to tweak the server-side script.

This also does a much larger and more significant improvement to security. If the recipient is in a hidden field, this tells a spammer that the backend script is accepting form input for the email address. You may think, "well they can only select it from the form, they can't change the adress," but this is not true. If I enter the following from the command line:

curl 'http://www.example.com/cgi-bin/public_mail.pl?recipient=spam@example.com,bulkemail@example.com'

I can send my spam list to this script without ever visiting the form. this is a simplified version of the problem, for it's really much worse than that.

The above method is one of the many ways to insure your programs only send to specified addresses, but you must also screen the input data as well - spammers can abuse **ANY** form field to hack a mailer script.

I'd better stop there. :-)

Wow...

Thanks for the time and effort that you spent on this. I really appreciate it and will try to implement your suggestions.

This forum is a "find"

Thank you all!

http://www.example.com/cgi-bin/public_mail.pl?recipient=spam@example.com,bulkemail@example.com

One more safeguard you can add in server side script to minimize this type of attatcks, although as rocknbil said, its not 100% hack proof.

First add method="POST" to your form and then add following sub to your formmail.cgi script.

&checkspam;
sub checkspam {
my $hostpage = 'http://www.example.com/contact.htm';
if ($ENV{'REQUEST_METHOD'} eq 'GET') { print "Location: $hostpage\n\n"; exit; }
}

Everytime it checks for a GET request and redirect it to the HTML page, hence blocking such type of direct requests.