Hi everybody,
I made some changes to the old version PHPFormMail Classic v1.03.1 - but I didn't find the time to document them properly and send them back - although I think it might be interesting to some other people as well.
The problem that occured to me is that there is no real security in checking the referer. Some browser don't sent it for privacy reasons (e.g. Opera is able to turn it off) and I don't think that spammers will not find out how to patch the GET-request to still abuse the PHPFormMail. Right now the reason why it's not yet a real problem is that formmail.pl is still in use on a lot more webservers and has the same problem, hence is preferable by people who want to spam or send mail anonymously *abusing* your webserver.
Restricting the recipient inside the script was no solution for me - I need to be able to set it inside the form rather easily. So my solution is to encrypt the recipient and send it as another hidden field named "crecipient". In the script then I check whether the plain text and encrypted recipient are the same. For encrypting I use some "secret information" (a key) that is stored on the webserver. Without knowing the key it is almost impossible to any bad guy to generate a valid crecipient. Because of this security feture, I'm no longer concerned in checking the referer - if the recipient is the one I wanted it to be, I don't mind whether people use my webserver to send messages or any other.
Another modification is that I don't like having all the names of the input fields infront of the message, when my form contains only the changeable fields subject, real name, e-mail and the message text.
I transferred the changes to the recent version 1.06 of formmail.php and made it available at http://www.michaelspringmann.de/programs/phpformmail/modified.zip. If you find the changes useful, please include them in the next release.
Bye and thanks for the good replacement of fomrmail.pl,
JumpM aka Michael Springmann.
PS: The reason why I needed those changes can be seen at gabi98.de - which is an address database of my former classmates. The e-mail addresses are stored in MySQL and I didn't want to add them all to $recipients and update them inside formmail.php - and I also wanted to depend on the referer, since I'm using the same script is used by several other domains where I'm not the webmaster myself and that don't have php activated.
