Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.


Welcome to AstaHost - Dear Guest , Please Register here to get Your own website. - Ask a Question / Express Opinion / Reply w/o Sign-Up!

Toggle shoutbox Shoutbox

@ agyat	:	(23 May 2013 - 01:23 AM) Wow! Mr. Sb Back Home.
@ OpaQue	:	(23 May 2013 - 12:44 AM) Ting
@ OpaQue	:	(24 April 2013 - 02:44 PM) I guess, Time to run Mycent script.
@ OpaQue	:	(24 April 2013 - 02:43 PM) wow.. not much spam. except habatt posting lot of links..
@ yordan	:	(23 April 2013 - 01:04 PM) You're welcome, agyat. Nice to have been helpful. Second lesson: try full words, "you" instead of "EW".
@ agyat	:	(23 April 2013 - 05:03 AM) @YORDAN: tHANK EW FOR YOUR FIRST LESSON.
@ yordan	:	(22 April 2013 - 09:43 PM) @agyat : "why don't you help me", or "please help me", or "please teach us"
@ yordan	:	(22 April 2013 - 09:42 PM) welcome back, velma
@ velma	:	(22 April 2013 - 07:51 AM) yawns Good to be back, wonder what is going on here
@ agyat	:	(22 April 2013 - 03:50 AM) Oh! so, why don't help me learn english..
@ yordan	:	(21 April 2013 - 08:38 PM) The goal mentioned by shiu : "learning english, learning computer"
@ agyat	:	(21 April 2013 - 06:31 PM) WHAT GOAL?
@ yordan	:	(20 April 2013 - 10:39 AM) yes, that's our goal. simultaneouly learning English and teaching/learning computer using.
@ shiyu	:	(20 April 2013 - 07:30 AM) learning english,learning computer
@ yordan	:	(19 April 2013 - 01:11 PM) Oh, I see, it's just a trick in order to force people looking at your texte. Somehow smart, maybe.
@ agyat	:	(19 April 2013 - 02:54 AM) And of course I know it is not SEO friendly.
@ agyat	:	(19 April 2013 - 02:52 AM) There may be two possible answers for that .... 1) Shout was posted using mobile keypad. 2) To force people read content carefully and/or with more concentration.
@ agyat	:	(19 April 2013 - 02:49 AM) There may be two possible answers for that ....
@ yordan	:	(18 April 2013 - 09:35 PM) however, why this mixing of capital letters in the middle of your text?
@ agyat	:	(18 April 2013 - 11:10 AM) false feelings.

Replying to Tell-a-friend script

Post Options

Enable emoticons?

Enter Your Name

Security Check *

[quote name="mastercomputers" post="3667" timestamp="1096105360"] A few noticable errors, you call the script friendtell.php but you get them to name it tellfriend.php, you suggest no method for your form, you have a class attribute which suggests there is also a style or stylesheet being used, I believe limiting a textbox to 15 characters for an email address is too small. It also uses auto globals, which is recommended to be disabled for security reasons. Short tags are used, for wider compatibility you should use full tags. I also wouldn't recommend this script as there is no security features implemented and can result in unwanted spamming from your server, you really have to validate all user information that they input, or else it may result in arbituary commands being executed on your server. The case of escaped characters \r\n show it's based around Windows and that may even help in exploiting. You should also collect their information about the user, just their email entered, IP address and time, so if an event of unwanted mail is being sent and you are notified of it, you can report it to their ISP that this is what is happening and they could probably sort it for you. Make sure you have a policy that can be found easily on your site. Another thing is you don't need two seperate pages to do this script, it can all be performed on one page but you don't have to use a single page, two pages is fine, should allow redirection though. If I find time, I may work on this script and just improve security. All in all, it is simple indeed. Cheers, MC[/quote] [quote name="mastercomputers" post="3667" timestamp="1096105360"] A few noticable errors, you call the script friendtell.php but you get them to name it tellfriend.php, you suggest no method for your form, you have a class attribute which suggests there is also a style or stylesheet being used, I believe limiting a textbox to 15 characters for an email address is too small. It also uses auto globals, which is recommended to be disabled for security reasons. Short tags are used, for wider compatibility you should use full tags. I also wouldn't recommend this script as there is no security features implemented and can result in unwanted spamming from your server, you really have to validate all user information that they input, or else it may result in arbituary commands being executed on your server. The case of escaped characters \r\n show it's based around Windows and that may even help in exploiting. You should also collect their information about the user, just their email entered, IP address and time, so if an event of unwanted mail is being sent and you are notified of it, you can report it to their ISP that this is what is happening and they could probably sort it for you. Make sure you have a policy that can be found easily on your site. Another thing is you don't need two seperate pages to do this script, it can all be performed on one page but you don't have to use a single page, two pages is fine, should allow redirection though. If I find time, I may work on this script and just improve security. All in all, it is simple indeed. Cheers, MC[/quote]

or Cancel

Topic Summary

Posted 28 February 2009 - 11:40 AM

something missingTell-a-friend script

Am wondering, your scrip imposes security threat...Why use method="GET" ? this displays all information being sent in the address bar method="POST" works better! and I thing you have to use $myname=$_POST['from']; instead of $myname=$from; anyone comment on this

-reply by HDYAN-Threat fire!!

khalilov

Posted 06 December 2008 - 06:13 PM

I think you should put the scripts in code , /code tags. Also shouldn't you put

$myname = $_GET['from'];

The same for the other variables you transfered from the first php script to the other.
As stated above this script could be used for spaming, which may result to complaints against your site. But to solve this issue you could require a user to be signed up in your site so that you track his emails and if he is spamming. Which means you have to log emails as well. While using such a form to send an email is cool, i don't think such an abusable feature should be put on your site =)

FirefoxRocks

Posted 06 December 2008 - 04:08 PM

This script is not good because it is mostly insecure. Without even a minimal security of user input validation, you can really use this form to spam A LOT. To improve this script, we must check all of the variables passed from the form to make sure it is acceptable input. Also, I think that format of the headers looks wrong, but I'm not sure.

It is also best to send plain-text emails. Even though most mail clients can handle HTML emails by now, it may become an issue with security. It is also less bandwidth to send plain-text emails, and since the example you provided doesn't contain much, a plain-text email will be almost just as effective as the one you gave.

wannabeeaweak

Posted 29 September 2004 - 05:06 AM

hey thanks for the scirpt

websaint

Posted 25 September 2004 - 02:02 PM

I know the script is very simple and easy but at least I've tried to fix it up a bit now

Hope that someone will find this useful!!

mastercomputers

Posted 25 September 2004 - 09:42 AM

A few noticable errors, you call the script friendtell.php but you get them to name it tellfriend.php, you suggest no method for your form, you have a class attribute which suggests there is also a style or stylesheet being used, I believe limiting a textbox to 15 characters for an email address is too small. It also uses auto globals, which is recommended to be disabled for security reasons. Short tags are used, for wider compatibility you should use full tags.

I also wouldn't recommend this script as there is no security features implemented and can result in unwanted spamming from your server, you really have to validate all user information that they input, or else it may result in arbituary commands being executed on your server. The case of escaped characters \r\n show it's based around Windows and that may even help in exploiting. You should also collect their information about the user, just their email entered, IP address and time, so if an event of unwanted mail is being sent and you are notified of it, you can report it to their ISP that this is what is happening and they could probably sort it for you. Make sure you have a policy that can be found easily on your site.

Another thing is you don't need two seperate pages to do this script, it can all be performed on one page but you don't have to use a single page, two pages is fine, should allow redirection though.

If I find time, I may work on this script and just improve security.

All in all, it is simple indeed.

Cheers, MC

websaint

Posted 24 September 2004 - 10:04 PM

Hi!! I'll show you how to make a simple tell-a-friend script using php. If you put this on your site, your visitors will be able to recommend your site to a friend. This can be good promotion for your site. It's quite easy to set up too. Just copy and past the script below.

Put this where you want the form to appear:

<form action="friendtell.php" method="get">
<b>Tell a friend:</b>
<input type="text" size="20" name="from" value="Your email">
<input type="text" size="25" name="to" value="Friends email">
<input type="Submit" value="Recommend">
</form>

Put this in the file friendtell.php

<p class="storre">Your friend has been told!</p>

<?
$myname = $from;
$myemail = $from;

$contactemail = $to;

$message = "<h2>Hi!!</h2>\nI wanted to tell you about a cool site I found.
The url is www.yoursite.com.<br><br>Mvh $from.";
$subject = "From a friend.";
$headers .= "MIME-Version: 1.0\r\n";
$headers .= "Content-type: text/html; charset=iso-8859-1\r\n";
$headers .= "From: $myname\r\n";
$headers .= "To: $contactname\r\n";
$headers .= "Reply-To: ".$myname." <$myreplyemail>\r\n";
$headers .= "X-Priority: 1\r\n";
$headers .= "X-MSMail-Priority: Low\r\n";
$headers .= "X-Mailer: Just My Server";

mail($contactemail, $subject, $message, $headers);
?>

Yepp, that's all. Hope you can make the script work!

Review the complete topic (launches new window)