Perl?? Cgi-bin..?? WTF!!!

mahamageehad

Hi guys,

just when I thought that I had my website nice and almost finished, things blow up in my face.... again.

My main problem is that now I need to allow visitors to submit a form and have the content emailed back. Apparently I need to understand Perl for this?? Any thoughts?? I've tried looking up some tutorials but to be honest I don't have the time to be learning a new language right now.

As always, any help appreciated!

KerranJast

mahamageehad wrote: »

Hi guys,

just when I thought that I had my website nice and almost finished, things blow up in my face.... again.

My main problem is that now I need to allow visitors to submit a form and have the content emailed back. Apparently I need to understand Perl for this?? Any thoughts?? I've tried looking up some tutorials but to be honest I don't have the time to be learning a new language right now.

As always, any help appreciated!

What technology is your site built in? PHP? .NET? There shouldn't be a need for Perl for submitting forms.

mahamageehad

Its a simple site using html/css. Its my first attempt at a site.

KerranJast

You'll need to use some kind of scripting language like PHP or .NET to do stuff like autogenerated emails and dealing with forms. I wouldn't advise Perl as its a bit too complex for a newbie. You could use an external service like Formspring.com to manage forms for you if you like.

mahamageehad

Ok thanks, I'll see what i can throw together

Sposs

Have a look at PHP , nice and easy for a form, plenty of tutorials etc , just google.

Webmonkey

Hey,

OP, use PHP. It will save you time.

Should be plenty of examples on google.

Evil Phil

Folks,

The charter does state not to ask for pm's in thread. Might seem a bit draconian but the search engines index boards, asking and responding in thread means other people won't end up at a dead end, hence the rule.

Thanks
E.P.

Webmonkey

Evil Phil wrote: »

Folks,

The charter does state not to ask for pm's in thread. Might seem a bit draconian but the search engines index boards, asking and responding in thread means other people won't end up at a dead end, hence the rule.

Thanks
E.P.

Ah you're right...damn

oeb

Hey OP, here is some basic php for emailing forms.

First you have your page with the form on it, lets say it's called contact.htm

It might look something like this:

<form method="post" action="formhandler.php">
Your name: <input type="text" name="your_name" />
Your email: <input type="text" name="your_email" />
Your comments: <textarea name="comments"></textarea>
<input type="submit" value="Email Me!" />
</form>

Now, there are a couple of important bits here for you, the first is the action attribute of the form tag. This needs to point at where your php mail handling script lives. You can call it whatever you want, as long as you specify the name correctly in the action attribute.

The next important thing is the name attributes of all the form bits. Each one needs to have a unique name, because we use these names to get the information from the php script.

Now, the php.

This is formhandler.php (or whatever, as long as the action points at it)
[php]<?php
$your_name = $_POST;
$your_email = $_POST;
$comments = $_POST;

$message = "You have a new message from your website! The visitor said the following:
Name : $your_name
Email : $your_email
Comments : $comments";

$subject = "New website message";
$my_email = "me@email.com";

mail($my_email, $subject, $message);

header("Location: thanks.php");
?>
[/php]Right, now, what does all this mean? The first thing of note is that all php code has to be marked off as so. This is done by putting the code in php tags. You can see them above, they look like this:

[php]<?php
// My code goes in here
?>[/php]The next point to note is that all lines or blocks of php code end with a semi colon (;)

Now, the next thing that might confuse you is all these things proceeded by a dollar sign. They are what are known as variables, they appear in all development languages, but in PHP they are all proceeded with a dollar sign. A variable is like a box. It holds a little piece of information in it that you can refrence later. For example, I can create a variable called fruit, and store a string (piece of text) in it.
[php]<?php
$fruit = "apple";
?>[/php]Now, you also see up above me referencing what's called arrays, if a variable is a box, imagine that an array is a shelf of boxes. You can tell when a variable is being used as an array when it is followed by square brackets. For example:
[php]<?php
$fruit = "green";
$fruit = "red";
?>[/php]Creates an array with two elements, one called 'apple' that has a value of green, and one called orange containing orange.

The reason this is important to you right now though, is you see me using an array up above called $_POST. $_POST is an array that is automatically populated with all the variables sent through a post request (In the form above, the method="post" bit specifies that you will be sending all the info through as post variables. So referencing $_POST would usually get the value of the form element with a name of 'hat' that was on the page that the request came from.


So hopefully by now you should understand the first four lines of my code above. The first line is my opening php tag (This tells php to start interpreting the rest as php) and the next three take the post values from the form and stick them in some variables for referencing later.

The bit that follows is simply the content of the mail I will be sending formatted in a way that's easy to read. This will be used as the body of the email.

After that I just create a variable to contain the email address and the subject line of the email I want to send out.

Now, the next bit is a bit different. Here I am using what is called a function. Functions are used to store bits of code that you may want to use in more than one place. You can create your own functions, or php has a number of them built in. mail() is one of them.

The mail() function, predictably, sends out an email. This specific function has three required variables to make it work (Variables passed to a function are referred to as arguments.) For mail() these are (In this order): The email address you want to send the message to, the subject line of the message and the content of the message. So as you can see above, I simply take the three variables I have filled (declared) earlier and I pass them as arguments into the mail function (Function arguments are separated by commas)

Then I use the header function to pass a custom header to the browser, in this case it's a redirect to get the browser to go straight onto another page (In this case, thanks.htm) after it's sent on the mail.

And then the closing php tag.


I hope this is understandable, I'm not always the best at explaining things. Keep in mind that this example is fairly basic, I am leaving out things like form validation (So a person can for example, submit a blank form) and the likes.

Hope it helps!

Pablod

For a basic CGI script, most hosting companies will have CGI/Perl enabled, if not its just a matter of sending them a mail to get it enabled.

On your hosting Cotrol Panel go to the CGI and all you need to get its the cgi directory
it will look something like this or similar

[URL]http://mysite.ie/formmail/cgi-bin/FormMail.pl[/URL] or [U][COLOR=#0000ff]/cgi-bin/FormMail.cgi[/COLOR][/U]

The form itself is almost similar to what oeb mentioned at the start of his post.
Test this form out below and play around with it.

<form action="[URL]http://mysite.ie/formmail/cgi-bin/FormMail.pl[/URL]" method="post" name="form" >
        <input name="Submit" type="submit" value="Submit" /><br />
     <input type="hidden" name="redirect" value="redirect page goes here" />
    <input type="hidden" name="recipient" value="YourEmailAddressHere" />
    <input type="hidden" name="sender" value="Contact Form from Website" />
   </form>

Hopet his helps

daymobrew

I sometimes use Tectite.com's FormMail script.

oeb's example is open to being abused e.g. being used to send emails to other people and potentially result in you being seen as a spammer.

FormMail prevents this. It can be a pain to set up but works well.
As this is OP's first site, it may not be a good candidate for him, but it might be useful to others.
I wish there was a secure drop-in email form script.

oeb

daymobrew wrote: »

I sometimes use Tectite.com's FormMail script.

oeb's example is open to being abused e.g. being used to send emails to other people and potentially result in you being seen as a spammer.

care to tell me how?

daymobrew

oeb wrote: »

care to tell me how?

http://www.anders.com/projects/sysadmin/formPostHijacking/
http://www.anders.com/cms/75/Crack.Attempt/Spam.Relay
http://www.stevedawson.com/article0015.php

A fix: http://www.gerd-riesselmann.net/archives/2005/09/sending-spam-through-contact-forms

Webmonkey

daymobrew wrote: »

http://www.anders.com/projects/sysadmin/formPostHijacking/
http://www.anders.com/cms/75/Crack.Attempt/Spam.Relay
http://www.stevedawson.com/article0015.php

A fix: http://www.gerd-riesselmann.net/archives/2005/09/sending-spam-through-contact-forms

To be fair, oeb did say no form validation etc was done and only posted to give a high level overview of the procedure. It is quite simple to remove injected header data anyways.

oeb wrote:

I am leaving out things like form validation (So a person can for example, submit a blank form) and the likes.

daymobrew

Webmonkey wrote: »

To be fair, oeb did say no form validation etc was done and only posted to give a high level overview of the procedure. It is quite simple to remove injected header data anyways.

oeb wrote:

I am leaving out things like form validation (So a person can for example, submit a blank form) and the likes.

Good point - sorry for jumping on you oeb.
I didn't read the entire post, but saw the vulnerable code and I was concerned that OP would probably just use as-is.

oeb

Webmonkey wrote: »

To be fair, oeb did say no form validation etc was done and only posted to give a high level overview of the procedure. It is quite simple to remove injected header data anyways.

Not to mention the fact that because I am not putting any user supplied data into the headers of the email, it's a little tricky to inject into them.

Webmonkey

oeb wrote: »

Not to mention the fact that because I am not putting any user supplied data into the headers of the email, it's a little tricky to inject into them.

daymobrew

oeb wrote: »

Not to mention the fact that because I am not putting any user supplied data into the headers of the email, it's a little tricky to inject into them.

Thanks for correcting me.

mahamageehad

Hi everyone thanks for all your help. Just wrote my first bit of php thanks to oeb, and it worked a treat.

Just wanted to say thanks!