Beefy Boxes and Bandwidth Generously Provided by pair Networks
Pathologically Eclectic Rubbish Lister
 
PerlMonks  

CGI recipient Option

by quissett (Initiate)
on Sep 01, 2004 at 15:44 UTC ( [id://387567]=perlquestion: print w/replies, xml ) Need Help??

quissett has asked for the wisdom of the Perl Monks concerning the following question:

Hi, I am looking for a little help in emailing the results of the form below to specific recipients. Specifically one of the recipients will need to receive the form base on the value of a field. In the case of the code below, I need the form sent to test@test.edu if the print MAIL "<font color=\"#FF0000\"><b>US Citizen? </b>$FORM{'ckusyes'} $FORM{'ckusno'}</font><br>"; check box value is 'chusno' I know that I have to move where I put open (MAIL, "|$mailprog $recipient") || die "Can't open $mailprog!\n"; but I have not had any success in this endeavor. Please help....
#!/usr/local/bin/perl -- -*-perl-*- # ------------------------------------------------------------ # check-in.cgi # Interactive form # # ------------------------------------------------------------ # Define mail program $mailprog = '/usr/lib/sendmail'; # Recipient of form responses $recipient = 'hd@whoi.edu'; # Print out a content-type for HTTP/1.0 compatibility print "Content-type: text/html\n\n"; # Get the input read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'}); # Split the name-value pairs @pairs = split(/&/, $buffer); foreach $pair (@pairs) { ($name, $value) = split(/=/, $pair); # Un-Webify plus signs and %-encoding $value =~ tr/+/ /; $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg; # Stop people from using subshells to execute commands # Not a big deal when using sendmail, but very important # when using UCB mail (aka mailx). # $value =~ s/~!/ ~!/g; # Uncomment for debugging purposes # print "Setting $name to $value<P>"; $FORM{$name} = $value; } # Print title and header info for user response &user_response; $date = `date`; # Now send mail to $recipient formatted in HTML # Note: MIME, Subject and Content lines must appear EXACTLY as they do + below # (only one \n after Subject line!) open (MAIL, "|$mailprog $recipient") || die "Can't open $mailprog!\n"; print MAIL "Reply-to: $FORM{'espr2'} $FORM{'estb'} $FORM{'espr'}\n"; print MAIL "MIME-Version: 1.0\n"; print MAIL "To: $recipient\n"; print MAIL "From: $FORM{'espr2'} $FORM{'estb'} $FORM{'espr'}\n"; print MAIL "Subject: ES Internal Routing Form> $FORM{'name'}: $FORM{'i +d'} \n"; print MAIL "Content-Type: text/html; charset=us-ascii\n"; print MAIL "Content-Transfer-Encoding: 7bit\n"; print MAIL "<html><head>\n"; print MAIL "<title>WHOI Human Resources Office: "; print MAIL "ES Internal Routing Form</title>\n"; print MAIL "</head>\n"; print MAIL "<body bgcolor=\"#FFFFFF\" text=\"#000000\" link=\"#003366\ +" "; print MAIL "alink=\"#666666\" vlink=\"#6699CC\">\n"; print MAIL "<center><table border=0 width=99%>"; print MAIL "<tr><td align=left>"; print MAIL "<img src=\"http:///services/HR/graphics/smdbw_logo.gif\" " +; print MAIL "alt=\"WHOI logo\"></td>"; print MAIL "<td align=center><font color=\"#003366\" size=+2>"; print MAIL "Human Resources Office<br>"; print MAIL "ES Internal Routing Form</font></td></tr>"; print MAIL "</table>"; print MAIL "<img src=\"http:///services/HR/graphics/2lines.gif\" "; print MAIL "alt=\"2lines\"></center>"; print MAIL "<font color=\"#FF0000\"><b>Processed By: </b>$FORM{'espr2' +} $FORM{'estb'} $FORM{'espr'}</font><br>"; print MAIL "<b>Name: </b>$FORM{'name'}<br>"; print MAIL "<b>SS#: </b>$FORM{'ss'}<br>"; print MAIL "<b>ID#: </b>$FORM{'id'}<br>"; print MAIL "<b>Dept: </b>$FORM{'deptnumber'}<br>"; print MAIL "<b>Title: </b>$FORM{'title'}<br>"; print MAIL "<b>DOB: </b>$FORM{'dob'}<br>"; print MAIL "<font color=\"#FF0000\"><b>US Citizen? </b>$FORM{'ckusyes' +} $FORM{'ckusno'}</font><br>"; print MAIL "<b>If not, which country? </b>$FORM{'country'}<br>"; print MAIL "<b>Visa Type: </b>$FORM{'visa'}<br>"; print MAIL "<b>EEO Designation </b>$FORM{'eeodesgination'}<br>"; print MAIL "<b>Veteran: </b>$FORM{'eeoveteran'}<br>"; print MAIL "<b>Disabled: </b>$FORM{'eeodisabled'}<br>"; print MAIL "<hr>"; print MAIL "<font color=\"#003366\" size=+2><b>Employment Action </b>< +/font><br>"; print MAIL "<hr>"; print MAIL "<b>Action: </b>$FORM{'newhire'} $FORM{'rehire'} $FORM{'ter +m'} $FORM{'LOA'} $FORM{'change'} $FORM{'promotion'} $FORM{'extension' +}<br>"; print MAIL "<b>Dept Transfer To: </b>$FORM{'depttransfer'}<br>"; print MAIL "<b>Effective Date: </b>$FORM{'effectivedate'}<br>"; print MAIL "<b>Expiration Date: </b>$FORM{'expirationdate'}<br>"; print MAIL "<b>Termination Date: </b>$FORM{'terminationdate'}<br>"; print MAIL "<b>Termination Reason: </b>$FORM{'termreason'}<br>"; print MAIL "<hr>"; print MAIL "<b>Type/Status: </b>$FORM{'ft'} $FORM{'threequarter'} $FOR +M{'half'} $FORM{'casual'} $FORM{'education'} $FORM{'guest'}<br>"; print MAIL "<b>Reg/Temp: </b>$FORM{'regular'} $FORM{'temporary'}<br>"; print MAIL "<b>Graded/Exempt: </b>$FORM{'graded'} $FORM{'exempt'}<br>" +; print MAIL "<hr>"; print MAIL "<b>Annual Salary: </b>$FORM{'annsalary'}<br>"; print MAIL "<b>TRE: </b>$FORM{'tre'}<br>"; print MAIL "<b>Accrual Date: </b>$FORM{'accrualdate'}<br>"; print MAIL "<b>Supervisor: </b>$FORM{'super'}<br>"; print MAIL "<b>Office Address: </b>$FORM{'whoiadd'}<br>"; print MAIL "<b>Mail Stop: </b>$FORM{'ms'}<br>"; print MAIL "<b>Extension: </b>$FORM{'extension'}<br>"; print MAIL "<hr>"; print MAIL "<b>Primary Address: </b>$FORM{'primaryadd'}<br>"; print MAIL "<b>Primary Phone: </b>$FORM{'primaryphone'}<br>"; print MAIL "<b>Publish in the WHOI Directory? </b>"; print MAIL "$FORM{'pubaddry'} $FORM{'pubaddrn'}<br>"; print MAIL "<hr>"; print MAIL "<b>New Position: </b>$FORM{'newposition'}<br>"; print MAIL "<b>Job Code: </b>$FORM{'jobcode'}<br>"; print MAIL "<b>EEO Code: </b>$FORM{'eeocode'}<br>"; print MAIL "<b>Market Average: </b>$FORM{'marketave'}<br>"; print MAIL "<b>Additional Comments: </b>$FORM{'comments'}<br>"; print MAIL "<hr>"; print MAIL "<b>Emergency Contact: </b>$FORM{'emername'}<br>"; print MAIL "<b>Relationship: </b>$FORM{'emerrelate'}<br>"; print MAIL "<b>Emergency Address: </b>$FORM{'emeradd'}<br>"; print MAIL "<b>Emergency Phone: </b>$FORM{'emerphone'}<br>"; print MAIL "<hr>"; print MAIL "</body></html>"; close (MAIL);

Edit by castaway - added readmore tag

Replies are listed 'Best First'.
Re: CGI recipient Option
by gellyfish (Monsignor) on Sep 01, 2004 at 16:15 UTC

    STOP! Abandon this code. If you just want to get a form to email program then go to NMS and download one.

    /J\

      Care to explain?

        When it comes to security, it does not pay to reinvent the wheel.

        From the FAQ:

        But there are perfectly good programs already out there, why bother?

        Actually, there aren't really.

        Most CGI programs that are available for free download really aren't very good at all. Most of them seem to be written by people with very little knowledge of Perl.

        Many of the developers on nms have been very active in the Perl community for years. They know Perl and CGI programming very well.

        The problems with most other CGI programs, fall into three categories:

      • The programs are insecure. Putting a CGI program on your web site is very risky. It means that you are allowing anyone to run a program on your web server. Unless these programs have been written very carefully, you may be allowing unscrupulous people (known as crackers) to gain access to more information than you intend. Eventually the crackers may be able to take control of your web server.
      • Perl makes it very easy to write secure programs. Unfortunately, most CGI program authors don't seem to know this.
      • The programs are buggy. Many of the other programs have had no kind of code review. This means that they often still have bugs in which can cause problems on your web site. You may be the first person to discover this bug. The support you get from the authors of these programs can be very patchy. I have never received a reply from Matt Wright when I've reported a bug in his scripts.
      • The nms project has a large number of developers, therefore each line of code has been seen by many people. The chances of bugs is much reduced. Additionally, we have a dedicated mailing list to deal with support issues.
      • The programs are badly written. Whilst many people simply install these programs and never look at the code, others will read CGI program code as a way to learn to write their own CGI programs. We therefore feel it is important that our scripts reflect the best Perl coding practices. Others don't share our views and many people have learned very bad coding habits from reading Matt Wright's code.

        In the first place this code allows someone to place arbitrary headers into the email that is sent - it would be trivial for it to exploited as an anonymous method for sending spam.

        /J\

Re: CGI recipient Option
by iburrell (Chaplain) on Sep 01, 2004 at 16:29 UTC
    There are two ways to specify recipients with sendmail. Either pass them on the command line, or use the '-t' option and it will pull them out of the To:, Cc:, Bcc: headers. Since you want to have the recipients in the To: header anyway and it is safer to put them in the header, use '-t' option.

    Now, the To: header separates the list of recipients with commas. One way is to concat onto the recipient string.

    $recipient .= ', somebody@somewhere' if $FORM{'ckusno'};
    Another way is to have a list of recipients and join them together.
    push @recipients, 'somebody@somewhere' if $FORM{'ckusno'}; my $recipients = join(', ', @recipients);

    However, you should not put this script up on the web. It will be hacked. It will be used to send spam through your server. It will get you and your employer is lots of trouble. It may allow the server to be compromised and taken over. That might not be a bad thing because the hackers might delete this script.

      This script is only used internally by a small office. I am not too concerned about the security. However, are there some steps I can take to make this script more secure? Thanks for your info!!!!!!!!!
        The import question is it accessible to the web? Being used internally may make it harder for bad guys to find and exploit. But as long as it is visible to the whole web, it is vulnerable.

        First, use CGI.pm to parse the form parameters. There are bugs and security issues in parsing form parameters that CGI.pm fixes. Lincoln Stein has done the work, and tons of people have tested and trusted it, so you don't need to. If you want a hash, use Vars method.

        Second, reduce what comes from form parameters. Form parameters can be set to anything by attackers. For example, with the Reply-to line, I could send "your@email-address\nTo: some spam viction\nSubject: this is spam\n\nMy spam message" as the espr2 parameter. The recipient receives some spam with your message as junk at the end. Hard code them in the script where you can. You have done with with the recipient which is good. One trick is to reorder the headers with form parameter fields last.

        Some values, like the From: line in your script, have to come from the form parameters. Validate those that are important from a security stand point. Email address parameters should only look like an email address, and you can be more strict than the general address matching. Names in headers should just be words. Other fields in the header should not contain line breaks.

Re: CGI recipient Option
by ikegami (Patriarch) on Sep 01, 2004 at 16:14 UTC

    I'm not sure I understand what you want, but I believe it's one of these:

    1) Emailing works, but you want to change the recipient depending on a checkbox. Add:

    $recipient = 'test@test.edu' if ($FORM{'ckusno'});

    2) Emailing works, but you want to send the email to two recipients depending on a checkbox. Put the mail stuff in a subroutine and call it twice:

    $recipient2 = 'test@test.edu'; sub mail_it { my ($to) = @_; open (MAIL, "|$mailprog $to") || die "Can't open $mailprog!\n"; print MAIL "Reply-to: $FORM{'espr2'} $FORM{'estb'} $FORM{'espr'}\n" +; print MAIL "MIME-Version: 1.0\n"; print MAIL "To: $to\n"; ... print MAIL "</body></html>"; close (MAIL); } mail_it($receipient); mail_it($receipient2) if ($FORM{'ckusno'});

    In the future, please specify what it does wrong, not just what you want it to do.

      I can't seem to get this to work. When I leave just the $recipient2 = 'test@test.edu'; at the top as is everything is fine. When I try add changes it does not seem to like this. Thanks Q
      Thanks for your feedback. Does it matter where the #$recipient = 'test@test.edu' if ($FORM{'ckusno'}); goes?
        After the foreach $pair (@pairs) loop (because that's where %FORM is initialized), but before open(MAIL, ...) (because that's where $receipient is used).
Re: CGI recipient Option
by iburrell (Chaplain) on Sep 01, 2004 at 18:30 UTC
    BTW, I am surprised that the email works. You don't have a blank line between the header and the body. It should be:
    print MAIL "Content-Transfer-Encoding: 7bit\n"; print MAIL "\n"; print MAIL "<html><head>\n";
    And the From: and the Reply-To: lines are probably not formatted correctly. They should look like:
    Reply-to: Some Name <some@address> From: Some Name <some@address>
Why reinvent the wheel?
by logan (Curate) on Sep 02, 2004 at 01:25 UTC
    Wouldn't it be easier to use Mail::Sendmail?

    -Logan
    "What do I want? I'm an American. I want more."

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlquestion [id://387567]
Approved by ikegami
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others romping around the Monastery: (5)
As of 2024-03-29 08:39 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found