WebAIM - Web Accessibility In Mind

E-mail List Archives

Re: E-mailing Form

for

From: Karl Groves
Date: Apr 8, 2009 11:05AM

I would say this is an overly alarmist discussion of the potential problems
with tell-a-friend forms. While it is true that such forms are a very
popular target for spammers (as is any form which sends e-mails, such as
contact forms), it is not true that they're all vulnerable. First and
foremost, any and all data which comes from users should be validated,
filtered, and escaped appropriately, regardless of what the form actually
does. Forms which send e-mail should also perform checks to ensure that
they're protected against mail header injection.

For anyone out there using PHP, I heartily recommend 'Pro PHP Security' by
Chris Snyder and Michael Southwell, or 'Essential PHP Security' by Chris
Shifflett. Chris Shifflett also has an excellent blog worth reading as well.

The concerns that Dean raises are very real and he's 100% correct that your
host will shut you down if a vulnerable form gets exploited (as well they
should, IMO).

Karl

> -----Original Message-----
> From: <EMAIL REMOVED> [mailto:webaim-forum-
> <EMAIL REMOVED> ] On Behalf Of Dean Hamack
> Sent: Tuesday, April 07, 2009 10:10 PM
> To: WebAIM Discussion List
> Subject: Re: [WebAIM] E-mailing Form
>
> I know there is, because I did it a few years back. But you don't want
> to do
> it, and I'll tell you why...
>
> Spammers will hijack the form and use it to send spam to thousands of
> people. Someone the spam gets sent to will report it to your web host,
> and
> your web host will shut your account down.
>
> Needless to say, that's not a good thing.
>
>
> On 4/7/09 4:03 PM, "Tom Dussault" < <EMAIL REMOVED> > wrote:
>
> > Dear WebAIM and helpful friends,
> >
> > I'm not entirely new to this group, but this is my first time
> actually
> > posting a valid question. I mostly read what other people post, and I
> get a
> > better idea of what the industry is doing (and let me say, this is a
> great
> > group and a source of information that I've read.) To those who have
> no
> > idea who I am, let me introduce myself: I'm Thomas Dussault, a
> designer and
> > graphic artist. However just recently i've started to jump back into
> the
> > field after years of not doing anything - to getting a nice work load
> out of
> > no where. I've designed various of web-sites, and many different
> designs for
> > smaller end business. This time however, I've come across something
> that
> > seems familiar, but I wanted to reference check with the group before
> I went
> > ahead and started.
> >
> > Is there any easy way to in either Dreamweaver or php programming, a
> way to
> > make a form for clients that can submit a form that in which they
> have the
> > ability to put another e-mail in a field that would e-mail a friend
> with
> > possibly a pre-made message?
> >
> > Realizing there are many forms that you can make online that can
> directly
> > send to an e-mail, is there any however that can make it possible to
> put a
> > friend or a client that MAY BE interested in what the customer is
> > submitting?
> >
> > Just throwing it out there. Any ideas or ways to execute this easier
> would
> > be much appreciated. :)
> >
> >
> > Thanks ahead of time!!
> >