You will find a formmail.pl script in your /cgi-bin directory (if you do not please contact us and we can provide you with one). This file aids in the prevention of SPAM through your domain, thus preserving your bandwidth for legitimate users of your site. In addition, it enables you to enhance your forms and provide shortcuts that not only simplify your forms, but also enable you to hide your e-mail address from spiders and e-mail harvesters.
To use Formmail, you need to create a form on one of your web pages.
The form action line should be
<FORM ACTION = "/cgi-bin/formmail.pl" METHOD = "POST">
formmail.pl will do all the programming work for you. You alter the behavior of Formmail by using hidden fields in your form.
There is only one form field that you must have in your form for FormMail to work correctly. This is the recipient field.
Description: This form field allows you to specify to whom you wish for your form results to be mailed. Most likely you will want to configure this option as a hidden form field.
<input type="hidden" name="recipient" value="me">
Any recipient that you have specified in your form must also be listed in your configuration file. Please refer to the below settings for more information.
Before you are able to use formmail, you will need to edit your formmail.pl script file. This file can beither:
- downloaded (via ftp) and edited and then re uploaded,
- edited via the file manager in the control-panel or
- edited via SSH if you have shell access.
There are a two mail variables that you need to change in FormMail.pl which
alter the way that the program works. They are in red below and are listed under the
# USER CONFIGURATION SECTION
@referers - A list of referring hosts. This should be a list of
the names or IP addresses of all the systems that
will host HTML forms that refer to this formmail
script. To prevent SPAM only these hosts will be allowed to use the
formmail script. This can be used to prevent others
from linking to FormMail.pl from their own HTML forms. For example:
@referers = qw(www.netvantage.com.au netvantage.com.au 188.8.131.52 localhost);
%recipient_alias - To avoid SPAMers reading your email address from the fields in your form use this function. This keeps all the email
addresses out of the HTML so that they don't get
collected by address harvesters and sent junk email.
For example, suppose you have three forms on your
site, and you want each to submit to a different email
address and you want to keep the addresses hidden.
You might set up %recipient_alias like this:
%recipient_alias = (
'1' => 'email@example.com',
'2' => 'firstname.lastname@example.org',
'3' => 'email@example.com',
In the HTML form that should submit to the recipient
'firstname.lastname@example.org', you would then set the recipient
<input type="hidden" name="recipient" value="2" />
The recipients in %recipient_alias are automatically added
to the allowed recipients list, so there's no need to list
them all in @allow_mail_to as well.
More Advanced Configuration Options are included at the end of this page below allthough you shouldn't need to edit them.
Optional Form Fields:
The below fields can be added to your form to return further infomation.
Description: The subject field will allow you to specify the subject that you wish to appear in the e-mail that is sent to you after this form has been filled out. If you do not have this option turned on, then the script will default to a message subject: WWW Form Submission
If you wish to choose what the subject is:
<input type=hidden name="subject" value="Your Subject">
To allow the user to choose a subject:
<input type=text name="subject">
Description: This form field will allow the user to specify their return e-mail address. If you want to be able to return e-mail to your user, I strongly suggest that you include this form field and allow them to fill it in. This will be put into the From: field of the message you receive.
Syntax: <input type=text name="email">
Description: The realname form field will allow the user to input their real name. This field is useful for identification purposes and will also be put into the From: line of your message header
Syntax: <input type=text name="realname">
Description: This field allows you to choose the order in which you wish for your variables to appear in the e-mail that FormMail generates. You can choose to have the field sorted alphabetically or specify a set order in which you want the fields to appear in your mail message. By leaving this field out, the order will simply default to the order in which the browsers sends the information to the script (which isn't always the exact same order they appeared in the form.) When sorting by a set order of fields, you should include the phrase 'order:' as the first part of your value for the sort field, and then follow that with the field names you want to be listed in the e-mail message, separated by commas.
To sort alphabetically: <input type=hidden name="sort" value="alphabetic">
To sort by a set field order: <input type=hidden name="sort" value="order:name1,name2,etc...">
Description: If you wish to redirect the user to a different URL, rather than having them see the default response to the fill-out form, you can use this hidden variable to send them to a pre-made HTML page.
To choose the URL the user will end up at:
<input type=hidden name="redirect" value="http://your.address/file.html">
To allow the user to specify a URL he wishes to travel to once the form is filled out:
<input type=text name="redirect">
Description: You can now require for certain fields in your form to be filled in before the user can successfully submit the form. Simply place all field names that you want to be mandatory into this field. If the required fields are not filled in, the user will be notified of what they need to fill in, and a link back to the form they just submitted will be provided.
If you want to require that the user fill in the email and phone fields in your form, so that you can reach them once you have received the mail, use a syntax like: <input type=hidden name="required" value="email,phone">
Description: Allows you to have Environment variables included in the e-mail message you receive after a user has filled out your form. Useful if you wish to know what browser they were using, what domain they were coming from or any other attributes associated with environment variables. The following is a short list of valid environment variables that might be useful:
REMOTE_HOST - Sends the hostname making a request.
REMOTE_ADDR - Sends the IP address of the remote host making the request.
HTTP_USER_AGENT - The browser the client is using to send the request. General format: software/version library/version
If you wanted to find the remote host and browser sending the request, you would put the following into your form:
<input type=hidden name="env_report" value="REMOTE_HOST,HTTP_USER_AGENT">
Description: This form field allows you to specify the title and header that will appear on the resulting page if you do not specify a redirect URL.
If you wanted a title of 'Feedback Form Results':
<input type=hidden name="title" value="Feedback Form Results">
Description: This field allows you to specify a URL that will appear as return_link_title, on the following report page. This field will not be used if you have the redirect field set, but it is useful if you allow the user to receive the report on the following page, but want to offer them a way to get back to your main page.
<input type=hidden name="return_link_url" value="http://your.host.xxx/main.html">
Description: This is the title that will be used to link the user back to the page you specify with return_link_url. The two fields will be shown on the resulting form page as: <ul> <li><a href="return_link_url">return_link_title</a> </ul>
Syntax: <input type=hidden name="return_link_title" value="Back to Main Page">
Description: This form field allow you to specify a background image that will appear if you do not have the redirect field set. This image will appear as the background to the form results page.
<input type=hidden name="background" value="http://your.host.xxx/image.gif">
Description: This form field allow you to specify a bgcolor for the form results page in much the way you specify a background image. This field should not be set if the redirect field is.
For a background color of White:
<input type=hidden name="bgcolor" value="#FFFFFF">
Description: This field works in the same way as bgcolor, except that it will change the color of your text.
For a text color of Black: <input type=hidden name="text_color" value="#000000">
Description: Changes the color of links on the resulting page. Works in the same way as text_color. Should not be defined if redirect is.
For a link color of Red:
<input type=hidden name="link_color" value="#FF0000">
Description: Changes the color of visited links on the resulting page. Works exactly the same as link_color. Should not be set if redirect is. Syntax:
For a visited link color of Blue:
<input type=hidden name="vlink_color" value="#0000FF">
Description: Changes the color of active links on the resulting page. Works exactly the same as link_color. Should not be set if redirect is.
For a visited link color of Blue:
<input type=hidden name="alink_color" value="#0000FF">
Any other form fields that appear in your script will be mailed back to you and displayed on the resulting page if you do not have the redirect field set.
Advanced formmail.pl Settings
@allow_mail_to - A list of the email addresses that formmail can send email to. The elements of this list can be either simple email addresses (like 'email@example.com') or domain names (like 'your.domain'). If it's a domain name then *any* address at the domain will be allowed.
Example: to allow mail to be sent to 'firstname.lastname@example.org'
or any address at the host 'mail.your.domain', you
@allow_mail_to = qw(email@example.com mail.your.domain);
@recipients -we recomend you leave this blank.
$style - This is the URL of a CSS stylesheet which will be
used for script generated messages. This should
probably be the same as the one that you use for all
the other pages. This should be a local absolute URI
fragment. Set $style to '0' or the emtpy string if
you don't want to use style sheets.
$no_content - If this is set to 1 then rather than returning the
HTML confirmation page or doing a redirect the script
will output a header that indicates that no content
will be returned and that the submitted form should
not be replaced. This should be used carefully as an
unwitting visitor may click the submit button several
times thinking that nothing has happened.
$double_spacing - If this is set to 1 (as it is by default) then a blank
line is printed after each form value in the e-mail.
Change this value to 0 if you want the e-mail to be
$wrap_text - If this is set to 1 then the content of any long text
fields will be wrapped at around 72 columns in the
e-mail which is sent. The way that this is done is
controlled by the variable $wrap_style
$wrap_style - If $wrap_text is set to 1 then if this is set to 1 then
the text will be wrapped in such a way that the left
margin of the text is lined up with the beginning of the
text after the description of the field - that is to
say it is indented by the length of the field name
plus 2. If it is set to 2 then the subsequent lines
of the text will not be indented at all and will be
flush with the start of the lines. The choice of style
is really a matter of taste although you might find
that style 1 does not work particularly well if your
e-mail client uses a proportional font where the spaces
of the indent might be smaller than the characters in
the field name.
$DEBUGGING - This should be set to 1 whilst you are installing and testing the script. Once the script is live you should change it to 0. When set to 1, errors will be output to the browser. This is a security risk and
should not be used when the script is live.
$secure - When this variable is set to a true value (e.g. 1) many additional security features are turned on. We do not recommend changing this variable to 0, as the resulting drop in security may leave your formmail
open to use as a SPAM relay.
$allow_empty_ref - Some web proxies and office firewalls may strip certain headers from the HTTP request that is sent by a browser. Among these is the HTTP_REFERER that the program uses as an additional check of the requests validity - this will cause the program to fail with a 'bad referer' message even though the configuration seems fine. In these cases setting this variable to 1 will stop the program from
complaining about requests where no referer header was sent while leaving the rest of the security
$max_recipients - The maximum number of e-mail addresses that any single form should be allowed to send copies of the e-mail to. If none of your forms send e-mail to more than one recipient, then we recommend that you improve the security of FormMail by reducing this value to 1. Setting this variable to 0 removes all limits on the number of recipients of each e-mail.
$send_confirmation_mail - If this flag is set to 1 then an additional email
will be sent to the person who submitted the
CAUTION: with this feature turned on it's
possible for someone to put someone else's email
address in the form and submit it 5000 times,
causing this script to send a flood of email to a
third party. This third party is likely to blame
you for the email flood attack.
$confirmation_text - The header and body of the confirmation email
sent to the person who submits the form, if the
$send_confirmation_mail flag is set. We use a
Perl 'here document' to allow us to configure it
as a single block of text in the script. In the
example below, everything between the lines
$confirmation_text = <<'END_OF_CONFIRMATION';
is treated as part of the email. Everything
before the first blank line is taken as part of
the email header, and everything after the first
blank line is the body of the email.