I recently started collecting email addresses just for this purpose... but I know that lots of folks at TCH use the script and grabbed their code before I collected emails.<br /><br />This info is important and I have no way of contacting you other than to post it here.<br /><br />What will soon follow is a post in my support forums.<br /><br />I also want to let you know that some major changes have gone on and we're now on version 2.4 with lots of bells and whistles, upgrades to error reporting and stability.<br /><br />But another major change is that the code is now no longer transparent as I encode the main engine. If that's not to your liking, stick with the version you have. But I think you should still make the change outlined in this post below.<br /><br />Here it is:<br /><br /><br />//////////////////////////<br /><br /><br /><br />In the past, some users have reported that the extra security precaution,<br /><br /><!--c1--><div class='codetop'>CODE</div><div class='codemain'><!--ec1-->$set['referer_check'] = '1';<!--c2--></div><!--ec2--><br />Was preventing them from completing the form, even though they were coming from the same site. In other words, it was giving a false negative.<br /><br />Initially, I thought that the problem was with different versions of PHP, server installations, or possibly the operating system of the server.<br /><br />I did some thorough research and found out that the server varibale $_SERVER['HTTP_REFERER'] is <b>not</b> reliable. It's not a fault in the php language but rather a variable that is set by the browser, and therefore can be missing, or faked.<br /><br />Some settings on firewalls can mess with it too.<br /><br /><!--sizeo:7--><span style="font-size:36pt;line-height:100%"><!--/sizeo-->What this means for you<!--sizec--></span><!--/sizec--><br /><br />In order to make sure that all users can access and use your form, you should immediately turn the referer check to the off position by changing<br /><br /><!--c1--><div class='codetop'>CODE</div><div class='codemain'><!--ec1-->$set['referer_check'] = '1';<!--c2--></div><!--ec2--><br />to<br /><!--c1--><div class='codetop'>CODE</div><div class='codemain'><!--ec1-->$set['referer_check'] = '0';<!--c2--></div><!--ec2--><br /><br /><!--sizeo:7--><span style="font-size:36pt;line-height:100%"><!--/sizeo-->"But is this unsafe?"<!--sizec--></span><!--/sizec--><br /><br />Short answer: no<br /><br />Long answer: <br />Spammers want only one of two things,<br />1- to harvest emails automatically through easy means<br />2- to hijack your form and send out spam through your website so you get blamed<br /><br />(Number two is the holy grail of spammers.)<br /><br />Your email address is hardcoded into the php script and so a spam harvesting 'bot' can't find it. If you have a catchall email address set up then it's easy to send you a spam email, but that's totally unrelated to the script. That's just how you choose to set up your hosting account.<br /><br />The more important issue is the spammer's goal of hijacking your form and sending spam through your site. When you break the script down to it's simplest component, it basically does this when triggered:<br /><br /><!--quoteo--><div class='quotetop'>QUOTE</div><div class='quotemain'><!--quotec-->Send a preformatted email to this predetermined email address<!--QuoteEnd--></div><!--QuoteEEnd--><br /><br />See, since the recipient isn't defined in the posted data but rather is hardcoded into the php script, there is no danger of hijacking (that I know of).<br /><br /><!--sizeo:7--><span style="font-size:36pt;line-height:100%"><!--/sizeo-->What's the worst that could happen without the referer check?<!--sizec--></span><!--/sizec--><br /><br />To the best of my knowledge, the worst that could happen is that someone writes a script to send a flood of emails to your account and the emails go to you.<br /><br />In order for this to happen, someone would have to <ul><li>know how to write such a script</li><li>choose you out of all the sites on the web</li><li>be content with sending all those emails to just you... not a list of spam recipients</li></ul>In other words, have time on their hands to annoy you.<br /><br /><!--sizeo:7--><span style="font-size:36pt;line-height:100%"><!--/sizeo-->What if I'm still concerned about this?<!--sizec--></span><!--/sizec--><br /><br />Well, I've created a solution. Two actually.<br /><br />The free solution is in the form of a time sensitive code that is generated at runtime on your site. You have the flexibility to determine how long you want to give visitors who are filling out your form.<br /><br />Could someone still write a script, go to your site, grab the latest key, and send the info to your form, before the time limit expired.<br /><br />Yes.<br /><br />But it makes them jump through another hoop.<br /><br />And all that work for no other payoff than to send YOU an email???? I don't see it happening.<br /><br />....<br /><br />(excess deleted)<!--content-->
And I've beefed up the documentation on the latest version of the code with a line by line (almost) explanation of what the different variables do.<br /><br /><a href="http://www.surefirewebdesign.com/scripts/docs/" target="_blank">http://www.surefirewebdesign.com/scripts/docs/</a><br /><br />And for those TCH members that currently run the script but forgot where to get the code, I'll direct you to the TCH help page:<br /><br /><a href="http://www.totalchoicehosting.com/help/id65.htm" target="_blank">http://www.totalchoicehosting.com/help/id65.htm</a><!--content-->
And I've beefed up the documentation on the latest version of the code with a line by line (almost) explanation of what the different variables do.<br /><br /><a href="http://www.surefirewebdesign.com/scripts/docs/" target="_blank">http://www.surefirewebdesign.com/scripts/docs/</a><br /><br />And for those TCH members that currently run the script but forgot where to get the code, I'll direct you to the TCH help page:<br /><br /><a href="http://www.totalchoicehosting.com/help/id65.htm" target="_blank">http://www.totalchoicehosting.com/help/id65.htm</a><!--content-->