This is a web form to email program that was designed to be secure right from the start. As such it does not trust user input any more than absolutely necessary. It uses users input for the output, the redirect address, and the Referrer field. The Host header is used in conjunction with the Referrer to determine the name of the email template file. The template file must always be in the same directory as the HTML file, and must also be the same name, with the single exception being the extension. The template file must end with ".tpl".
The file is plain text and it needs to contain the email address(es) to send the email to. It also needs to contain the subject line of the email. These lines are treated as special lines in that they are removed from the template before variable substitution. These special lines must begin with "To: address" and "Subject: subject" without the double quotes, and the address and subject are the email address and the subject of the sent email respectively. Do not list more than one recipient on a line. If more than one recipient is required add additional "To: address" lines. The software will append the addresses to the end of the recipients filed. The subject lines are similar in that they are stripped from the template. If the software encounters multiple subject lines it will generate one subject line derived by concatenating all of the Subject: lines together and removing the carriage returns and line feeds. Given the confusing nature of multiple subject lines the usage of this is not recommended. Additionally, these lines can be placed anywhere in the file, however, for readability it is recommended that these lines are placed at the top of the file.
You can specify the email address that you want the email to be sent from in the template file, or with the special variable "Email". If you want the user of the form to be able to specify their email address as the return address you must use the name "Email", without the quotes, but it is case sensitive. If this does not exist in the form, the software will then look to the template file for a line "From: address". This allows the site designer to determine the address that the email is coming from. If you choose not to use either option then the software will pick the email address of the web server administrator.
You need to have a hidden input filed in your HTML named "redirect" which is the complete URL to the page you want the user to be redirected to.
Optionally, you can use the hidden input field named "required" which determines which fields we must have in order to continue.
The template file contains the field names enclosed in square brackets. Currently there are two internally generated field names supported. These are date and time and these are set to the web servers current date and time as of the beginning of the execution of the script. All other fields need to be defined in your HTML file.
Subject: This is a test
Hello [name], this is a demo email sent at [time] on [date].
<form action="/php/Mailer.php" method="post">
<input type="hidden" name="required" value="name">
<input type="hidden" name="redirect" value="http://www.example.com">
Name: <input type="text" name="name" value="Fred">
The above HTML and template file would result in an email similar to the one shown below:
Date: Thu, 21 Feb 2002 13:17:02 -0500
Subject: This is a test
Hello Fred, this is a demo email sent at 13:17:02 on Thursday February 21, 2002.