Welcome to WebmasterWorld Guest from

Forum Moderators: incrediBILL

Message Too Old, No Replies

Basic HTML form mail with multiple recipients

2:50 pm on Jan 19, 2006 (gmt 0)

New User

10+ Year Member

joined:Jan 19, 2006
votes: 0

Hello all, this is my first post. I'm a graphic designer for a web developer and I don't have a lot of experience with wirting strait code AND my programmer is on vacation and maybe you all can help.

I'm adding a basic email form to a clents site and they want a drop down box with a list of employee names that customers can choose to contact through the form. Based on what name a customer chooses, the form will be sent to the appropriate persons email address. Here's the form I'm using. It's just about as basic as you can get but I need to know how to add this multiple recipients drop down list.

<form action="http://www.example.com/cgi-bin/public_mail.pl" method="post">
<input type="hidden" name="recipient" value="youremail@example.com" >
<input type="hidden" name="subject" value="Customer Feedback Form">
What kind of comment would you like to send?</strong><br>
<input type="radio" name="MessageType" value="Problem">Problem
<input type="radio" checked name="MessageType" value="Suggestion">Suggestion
<input type="radio" name="MessageType" value="Praise">Praise<P>
What about us do you want to comment on?<br>
<select name="Subject" size="1">
<option selected>Web Site</option>
<option value="Services">Services</option>
Other: <input type="text" size="26" maxlength="256" name="SubjectOther"><P>
Enter your comments in the space provided below:<br>
<textarea name="Comments" rows="5" cols="42"></textarea><P>
Tell us how to get in touch with you:<br>
Name<input type="text" size="35" maxlength="256" name="realname"><br>
E-mail<input type="text" size="35" maxlength="256" name="UserEmail"><br>
Telephone<input type="text" size="35" maxlength="256" name="UserTel"><br>
FAX<input type="text" size="35" maxlength="256" name="UserFAX"><P>
<input type="checkbox" name="ContactRequested" value="ContactRequested">
Please contact me as soon as possible regarding this matter.<P>
<input type="submit" value="Submit Comments">
<input type="reset" value="Clear Form"></p>

Can anyone please help?

Thanks - Dead London

[edited by: encyclo at 7:52 pm (utc) on Jan. 19, 2006]
[edit reason] switched to example.com [/edit]

3:26 pm on Jan 19, 2006 (gmt 0)

New User

10+ Year Member

joined:June 6, 2005
votes: 0

Try taking out the

<input type="hidden" name="recipient" value="youremail@example.com">

and replacing it with:

<select name="recipient" size="1">
<option value="bill@example.com" selected>Bill</option>
<option value="sally@example.com">Sally</option>
<option value="john@example.com">John</option>
<option value="sue@example.com">Sue</option>
<option value="andy@example.com">Andy</option>

Note that this does still leave your e-mail addresses exposed to spam bots. See if your mail script will let you hide the addresses on the page and only have them in the code. The page would then look something like:

<select name="recipient" size="1">
<option value="1" selected>Bill</option>
<option value="2">Sue</option>
<option value="3">Sally</option>
<option value="4">John</option>
<option value="5">Andy</option>

Then if someone sent mail to Bill, the script would know that option 1 was really bill@example.com

3:31 pm on Jan 19, 2006 (gmt 0)

New User

10+ Year Member

joined:Jan 19, 2006
votes: 0

Excellent, I understand what you mean. I will give this a try and then post back with me results. Thanks for you help. DL
6:18 pm on Jan 19, 2006 (gmt 0)

Preferred Member

10+ Year Member

joined:Aug 2, 2004
votes: 0

If you have any control over the mail addresses, try setting up an address that will forward to the multiple recipients. This can be done with fowarders to filters. I have a filter that says "Whenever mail comes to ExecutiveBoard@myclub.com send this email to bill@myclub.com, tom@myclub.com, and james@myclub.com". That way you can still send to one email address from the form but it will be delivered into three (or more) boxes.
6:48 pm on Jan 19, 2006 (gmt 0)

Senior Member

WebmasterWorld Senior Member kaled is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 2, 2003
votes: 0

If your mail script allows you to specify recipients in the form, it may be open to abuse by spammers (unless recipients are restricted to a single domain).


4:30 pm on Jan 23, 2006 (gmt 0)

New User

10+ Year Member

joined:Jan 19, 2006
votes: 0

Thanks again, everyone! It worked like a charm.

Now, the customer just through me a curve ball and asked for custom made buttons on the mail form. So, I came up with some buttons in PhotoShop that they would like to use. The only problem is that how in the world do I add them to the form and make them work correctly? I'm sure it has some to do with adding an image source to the submit button tag but everything I've tried hasn't worked. Any ideas? I can't wait for my programmer to get back from vacation! DL

5:36 pm on Jan 23, 2006 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:July 16, 2002
votes: 1

<input type="submit" value="Submit Comments">
<input type="image" src="yourimage url" width="yourimagewidth" height="yourimageheight">
5:58 pm on Jan 23, 2006 (gmt 0)

New User

10+ Year Member

joined:Jan 19, 2006
votes: 0

Again, it worked like a charm. Many many thanks to you all! Great forums:) DL
2:47 am on Jan 29, 2006 (gmt 0)

New User

10+ Year Member

joined:Jan 29, 2006
votes: 0

Thanks to you all, I found this post extremely helpful.

I'm kind of a newbie at this.

How would I modify the above code to allow the identical form generated e-mail to be sent to multiple recipients selected by checkboxes. Could you also touch on this implementation with spambot protection?


Jerry Kornbluth

9:36 am on Jan 29, 2006 (gmt 0)

Senior Member

WebmasterWorld Senior Member rocknbil is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Nov 28, 2004
votes: 0

Short answer: Per kaled's comment - there is no way to avoid spam bots from picking up the addresses, really, not without editing the backend script. (You can do some things with Javascript, but it's still not solid for the truly motivated.)

Longer answer: This form is posted to

<form action="http://www.example.com/cgi-bin/public_mail.pl" method="post">

So in public_mail.pl you would have to make some changes. The exact details are beyond the scope of this thread (because we don't have the code,) but it would be something like this:

1. Instead of having email addresses on the page, you would establish a key-value, beginning at the form, and REMOVE THE EMAIL ADDRESSES:

<input type="checkbox" name="mailto1" value="1"> John Doe
<input type="checkbox" name="mailto2" value="2"> Mary Doe

2. Then in the .pl script you would have an association wih those values: ie., 1=johnnyd@example.com, 2=maryd@example.com, etc. This could easily be done by having an array list - since arrays are zero-based (first item in list is in position 0, second item position 1, etc.,) the first index is the perfect place for the DEFAULT email.


3. In the perl script, cycle through this list and send the mails only if the form data for that email is defined. If the box is NOT checked, in perl for the web it's not DEFINED:

for $i (0..$#valid_emails) {
# this creates "mailto1, "mailto2", etc. - our named checkboxes
$form_object = 'mailto' . $i;
if (($i == 0) ($form_data{$form_object})) {

Don't want an address that all emails go to? Begin at 1:
for $i (1..$#valid_emails) { ....

Additionally, this method could be applied to the original example with a drop-down list or even a multiple-select box.

That is one small step toward security that removes the email addresses from the page. But it would require a working knowledge of perl to tweak the server-side script.

This also does a much larger and more significant improvement to security. If the recipient is in a hidden field, this tells a spammer that the backend script is accepting form input for the email address. You may think, "well they can only select it from the form, they can't change the adress," but this is not true. If I enter the following from the command line:

curl 'http://www.example.com/cgi-bin/public_mail.pl?recipient=spam@example.com,bulkemail@example.com'

I can send my spam list to this script without ever visiting the form. this is a simplified version of the problem, for it's really much worse than that.

The above method is one of the many ways to insure your programs only send to specified addresses, but you must also screen the input data as well - spammers can abuse **ANY** form field to hack a mailer script.

I'd better stop there. :-)

12:09 pm on Jan 29, 2006 (gmt 0)

New User

10+ Year Member

joined:Jan 29, 2006
votes: 0


Thanks for the time and effort that you spent on this. I really appreciate it and will try to implement your suggestions.

This forum is a "find"

Thank you all!

4:35 am on Feb 18, 2006 (gmt 0)

Full Member

10+ Year Member

joined:Jan 4, 2006
votes: 0


One more safeguard you can add in server side script to minimize this type of attatcks, although as rocknbil said, its not 100% hack proof.

First add method="POST" to your form and then add following sub to your formmail.cgi script.

sub checkspam {
my $hostpage = 'http://www.example.com/contact.htm';
if ($ENV{'REQUEST_METHOD'} eq 'GET') { print "Location: $hostpage\n\n"; exit; }

Everytime it checks for a GET request and redirect it to the HTML page, hence blocking such type of direct requests.