Tell-a-friend script Make a tell-a-friend script with php

Hi!! I'll show you how to make a simple tell-a-friend script using php. If you put this on your site, your visitors will be able to recommend your site to a friend. This can be good promotion for your site. It's quite easy to set up too. Just copy and past the script below.

 

Put this where you want the form to appear:

 

<form action="friendtell.php" method="get">

<b>Tell a friend:</b>

<input type="text" size="20" name="from" value="Your email">

<input type="text" size="25" name="to" value="Friends email">

<input type="Submit" value="Recommend">

</form>

 

Put this in the file friendtell.php

 

<p class="storre">Your friend has been told!</p>

 

<?

$myname = $from;

$myemail = $from;

 

$contactemail = $to;

 

$message = "<h2>Hi!!</h2>\nI wanted to tell you about a cool site I found.

The url is http://ww38.yoursite.com/.<br><br>Mvh $from.";

$subject = "From a friend.";

$headers .= "MIME-Version: 1.0\r\n";

$headers .= "Content-type: text/html; charset=iso-8859-1\r\n";

$headers .= "From: $myname\r\n";

$headers .= "To: $contactname\r\n";

$headers .= "Reply-To: ".$myname." <$myreplyemail>\r\n";

$headers .= "X-Priority: 1\r\n";

$headers .= "X-MSMail-Priority: Low\r\n";

$headers .= "X-Mailer: Just My Server";

 

mail($contactemail, $subject, $message, $headers);

?>

 

Yepp, that's all. Hope you can make the script work!

A few noticable errors, you call the script friendtell.php but you get them to name it tellfriend.php, you suggest no method for your form, you have a class attribute which suggests there is also a style or stylesheet being used, I believe limiting a textbox to 15 characters for an email address is too small. It also uses auto globals, which is recommended to be disabled for security reasons. Short tags are used, for wider compatibility you should use full tags.I also wouldn't recommend this script as there is no security features implemented and can result in unwanted spamming from your server, you really have to validate all user information that they input, or else it may result in arbituary commands being executed on your server. The case of escaped characters \r\n show it's based around Windows and that may even help in exploiting. You should also collect their information about the user, just their email entered, IP address and time, so if an event of unwanted mail is being sent and you are notified of it, you can report it to their ISP that this is what is happening and they could probably sort it for you. Make sure you have a policy that can be found easily on your site.Another thing is you don't need two seperate pages to do this script, it can all be performed on one page but you don't have to use a single page, two pages is fine, should allow redirection though.If I find time, I may work on this script and just improve security.All in all, it is simple indeed.Cheers, MC

I know the script is very simple and easy but at least I've tried to fix it up a bit now Hope that someone will find this useful!!

hey thanks for the scirpt

This script is not good because it is mostly insecure. Without even a minimal security of user input validation, you can really use this form to spam A LOT. To improve this script, we must check all of the variables passed from the form to make sure it is acceptable input. Also, I think that format of the headers looks wrong, but I'm not sure.It is also best to send plain-text emails. Even though most mail clients can handle HTML emails by now, it may become an issue with security. It is also less bandwidth to send plain-text emails, and since the example you provided doesn't contain much, a plain-text email will be almost just as effective as the one you gave.

I think you should put the scripts in code , /code tags. Also shouldn't you put

$myname = $_GET['from'];

The same for the other variables you transfered from the first php script to the other.
As stated above this script could be used for spaming, which may result to complaints against your site. But to solve this issue you could require a user to be signed up in your site so that you track his emails and if he is spamming. Which means you have to log emails as well. While using such a form to send an email is cool, i don't think such an abusable feature should be put on your site =)

something missingTell-a-friend script

Am wondering, your scrip imposes security threat...Why use  method="GET" ? this displays all information being sent in the address bar method="POST" works better! and I thing you have to use $myname=$_POST['from'];  instead of $myname=$from;  anyone comment on this

-reply by HDYAN-Threat fire!!