Hullo,

I wasn't satisfied with the available options for recipient_array. Spammers have been aggressively targeting my domains and are getting pretty good at figuring out how to bypass my contact forms, but I didn't want to be hostile towards my users/clients and demand a captcha.

So I've modded PHPFormMail to generate the recipient keys dynamically.

Here are two example forms that use the modified script.

The simplest version just generates a new key for every hour, so that the form can't just be harvested and posted to repeatedly.

The second version, using the same modified PHPFormMail script, relies on JavaScript to fill-in the hidden recipient key input. Neither is complete protection from harvesters of course, but they do make the job harder for those parasite spammers.

Example 1:
================= snip ==================

<?php

// first, set $useFormMailFunctionsOnly to a true value
// in order to keep it quiet when including
$useFormMailFunctionsOnly = TRUE;

// suck it in, so we can access our hidden recipient field
// generator
require_once("formmail.php");

?>
<html>
<body>
<form method="post" action="formmail.php">
<?php
// this will spit out the recipient hidden field, encoded with the
// dynamic timestamp.
// You MUST ensure the address specified is in the formmail.php
// $recipient_dynamic_list array for this to work.

outputHiddenFieldForDynamicRecipient("myaddy@example.com");
?>

From: <input type="text" name="email">
Subject: <input type="text" name="subject" /> <br />
<textarea name="themessage" cols="60" rows="15"></textarea><br />
<input type="submit" name="submit" value="Send" />
</form>
</body>
</html>

================= /snip ==================

The second, using JS to fill the input item:

================= snip ==================

<?php

// first, set $useFormMailFunctionsOnly to a true value
// in order to keep it quiet when including
$useFormMailFunctionsOnly = TRUE;

// suck it in, so we can access our hidden recipient field
// generator
require_once("formmail.php");

?>
<html>
<head>
<script type="text/javascript">
function fillRcpt()
{
var myKey = '<?php print generateDynamicKeyForRecipient("myaddy@example.com"); ?>';
var rcptEl = document.getElementById('hiddenrcpt');
if (rcptEl)
{
rcptEl.setAttribute('value', myKey);
}

}
</script>
<body>
<form method="post" action="formmail.php">
<input type="hidden" name="recipient" id="hiddenrcpt" value="" />
From: <input type="text" name="email">
Subject: <input type="text" name="subject" /> <br />
<textarea name="themessage" cols="60" rows="15"></textarea><br />
<input type="submit" name="submit" value="Send" />
</form>
</body>
<script type="text/javascript">
fillRcpt();
</script>
</html>

================= /snip ==================

Can't seem to find how to upload attachments here, so you can get the modified script to play with (at your own risks) here or you can get the diff file and patch it instead.

Regards,
Pat Deegan