A client of mine has requested that I add a "send a referral" page to their website. This will contain a form that lets a user enter their name and email address as well as a friend's name and email address. When they submit the form, an email will be sent to their friend's email address containing a "check out this website" message.
Can this type of referral form be made secure against spammers?
I have already followed a lot of the advice in this code review, including using FILTER_SANITIZE_EMAIL and mb_encode_mimeheader on the email addresses. I also have hidden "dummy" inputs in the form with specific values that will prevent form submission if a spammer overwrites them.
From my experience, the hidden fields stop most of the spam. But if you want an extra measure, you can try ReCaptcha. It's really easy to use and you should get rid of most of the spam.
Related
I want to send confirmation message to user after submitting form.
the information recorded should be sent to client & confirmation message send to user.
Is there any setting in contact form 7 or we need to do it using custom ?
Does anyone know how to do it ?
Ya you can send confirmation email to user.
Just use Mail 2 option which will be triggered only when the email is successfully sent to client.
https://contactform7.com/faq/can-i-implement-autoresponder/
You can use contact 7 forms for it but you may have to then hardcode where is it going. So if you go onto the page the form is on you will see
<input type="submit"/>
If you change this code to something along the lines of
<input type="submit" href="example#example.com"/>
When clicked it should then send the required data to the correct e-mail address. Make sure that your form has the method of "POST" so the data actually gets sent over.
Also with contact form 7 there is an option to do e-mail forms, you can then set the e-mail to your e-mail for testing and your clients e-mail too. Send some dummy data over and job should be a good'n. Just look at the different options you have available.
This link should help you below:
https://contactform7.com/setting-up-mail/
I am coding Mailchimp Template, what I have to do is add a Text box in Email template and the one who receives email will enter some value in text box and press send button in email, and entered value will be sent to my email address as email, I know very well how to code mailchimp templates but really have no idea to add textbox and gets its value and send to my email account Please guide me how to do it.
You will need to create a HTML form with a POST or GET action that sends the data to a server, then from there you can email the value to yourself. You cannot rely on the viewer's computer to send the email.
when a user submits Contact Us form on our site and the info comes to us the email header contains from: abc#gmail.com via 218208-db2.christiandatingforfree.com. We dont want via 218208-db2.christiandatingforfree.com in the header part. Any suggestions...
That isn't something you can control. Gmail does it for the sake of security, otherwise you could send an email with the from field as support#gmail.com
how do i validate Existing E-Mail Address.
in a Registration system, when a user enter a Email address it checks if the Email address is existing or not in Ymail/Gmail.
i already have a running domain(for Practice).
You have my regards.
Most registration systems validate an email address by sending an email to it with a uniquely encoded URL in it and requiring the user to go get that email and click on the link. When your server sees that the link has been clicked on the email address is know to be accessed by you.
Here's a basic flowchart for how it works:
User goes to your website
User commences registration and fills in their email address
Server checks to see if email address is in a legal and proper form and is not already registered
If the rest of the user's registration looks good and then email address looks legal, the server creates an account in your system and puts in the "unverified" state.
Then, a code is generated that corresponds to that specific user. That code is put onto an URL and that URL is put into an email which is sent to the email address the user entered.
The user receives the email with instructions to click on the enclosed link.
User retrieves email and clicks on the link.
Your server receives web request from that link. It parses out the code from the URL and checks to see if that code matches an account that is in the "unverified" state. If so, and the account has not expired from too much time elapsing since the email was sent, then the account is put into the "verified" state and is ready for use.
The basic idea of this system is that if you can retrieve an email sent to that email address then the email address must be a valid and working email address and you, the user, must be able to access that email address (it's not just some random email address you made up).
Back in the day, you could easily validate email addresses. Then the spammers came along. Now the only way you can confirm the existence of an email address is by trying to send something to it and checking for bounces. And even then, the lack of a bounce doesn't mean it exists - it could simply have been silently deleted, ignored, spam filtered into oblivion, etc...
Basically, what you want is not possible - any such system would simply help spammers hammer your box with more russian brides popping penis pills while wearing fake rolexes.
SMTP provides VRFY and EXPN verbs to check if an account or mailing list exists. However, most server admins disable these verbs from their mail configuration to prevent hackers from exploiting user lists. Gmail and Yahoo are said to have VRFY disabled.
Another option you can try for these servers is emailing the user with a link to confirm their email address. Granted, it is not as sexy as realtime email verification, but it is more secure for all parties.
It is practically not possible to validate email address with growing number of spams.
These days people send a mail to the email address entered by user to complete the registration or activate the account. You can probably do that and is a much safer way to do. You can find a number of resources online to implement this functionality.
I am trying to build a email messaging system for a classified site ( a la craigslist), so that users can email each other. emails of registered users are stored in a database.
What I want is for the recipients email address to be hidden from the sender's . If I just use the mail() function and dynamically get the recipients email from the database, will this email be visible to the person sending the mail ??
if the recipients email is indeed hidden from the sender's when using mail() this way, then why does craigslist anonymize's email ? isn't it already anonymous ?
Edit: so the email won't be visible to the person filling the form. SO the question remains is why does craigslist anonymizes email addresses? and whether I should implement the same ?
Craigslist doesn't use a form to submit. They provide an email address. When the users send the email using their own email system to #craigslist.org, then their servers get that email, look up the appropriate record, and forward the email to the real email address, so the sender never sees the real email address of the person.
If you're providing a form for the users to fill out, then you're doing something completely different from craigslist. You don't have to show the person's real email address on the form, and they're using your form, not their own email program, to do the reply, so there's no need to show any email address at all, anonymous or real.
If you're going to let people use their own email programs and provide them with an email address, then use the anonymizing service, which will add some load to your servers since they'll have to parse and process incoming emails at a variety of addresses. If you're using a form, you don't have to show any email addresses at all.
You are the one sending it, and it really comes from your server, not the person who filled out the form on your website. So no, there is absolutely no way they can see the real address it went to.
Why does craigslist take it a step further? Not sure, but its not for that reason.