I have the forward records mod working but I would like to know if it is possible to send the record to another user without the person sending an email being able to alter the body of the email. The default setup allows the user to add or change text on the email.

Also would it be possible to add a greeting in the body of the email again without the user being able to modify the message.

Thanks,

Dave

I have not looked at the forward mail mod, but it would seem that any search result could be emailed using a email address provided via a search form. You should be able to control the body of the email and keep it away from the sender.

I use the email subs from the Validation MOD.

Thanks for the reply Joe.

I think you are right that the body of the email could be kept away from the sender. I just don't know how to do it! Here is the form. I believe the bits that need to be modified are the emailmessage and/or $in{'email_message'}. Any help is appreciated!



sub html_forward_email_form {
#----------------------------------------------------------
my ($message) = $_[0];
$in{$db_key} =~ s/<?.B>//g;
%rec = &get_record($in{$db_key});

unless ($in{'email_message'}) {
foreach $col (@db_cols) {
$in{'email_message'} .= "$col: $rec{$col}\n";
}
}

&html_print_headers;

print qq|
<html><head><title>$html_title: Send an email</title></head>
<body bgcolor="#FFFFF4">
<center>
<table border=1 bgcolor="#FFFFFF" cellpadding=5 cellspacing=3 width=90% align=center valign=top>
<tr><td colspan=2 bgcolor="#006600">
<FONT FACE="MS Sans Serif, arial,helvetica" size=1 COLOR="#FFFFFF">
<b>$html_title: Send an email</b></td></tr>
<tr><td>
<p><center><$font_title><b>
Send an email
</b></font></center><br>
|;

if ($message) { print qq|There was a problem: $message|; }
print qq|
<$font>Fill in your email address, the subject of your email and the
message you wish to send to $rec{'Name'}.</font>
|;

print qq|
<form action="$db_script_url" method="POST">
<input type=hidden name="db" value="$db_setup">
<input type=hidden name="uid" value="$db_uid">
<input type=hidden name="$db_key" value="$in{$db_key}">
<table><tr><td align=right><$font>Your email address:</font></td>
<td><input type=text name="email" value="$in{'email'}" size=40></td></tr>
<tr><td align=right><$font>Recipient's email address:</font></td>
<td><input type=text name="to_email" value="$in{'to_email'}" size=40></td></tr>
<tr><td align=right><$font>Subject:</font></td>
<td><input type=text name="subject" value="$in{'subject'}" size=40></td></tr>
<tr><td align=right><$font>Your message:</font></td>
<td><textarea name="emailmessage" cols=40 rows=10 wrap="virtual">This job listing brought to you by http://www.nrmjobs.com.au

$in{'email_message'}</TEXTAREA></td></tr>
</table>
<center>
<INPUT TYPE="SUBMIT" NAME="forward_email" VALUE="Send Record">
<INPUT TYPE="RESET" VALUE="Reset Form">
</center>
</form>
|;

&html_footer;
print qq|</td></tr></table></body></html>|;

I believe that to stop the casual user from gaining access to the body of the email message, it would be as easy as just making it a hidden field in the form. Like any hidden field, you can still display the contents so that the user see what is to be sent, yet cannot edit it.

Thus;

<td><textarea name="emailmessage"

would be

<td><input type=hidden name="emailmessage"

But that is really just very basic stuff. And any user who understands forms and the strings sent by forms to the db.cgi could easily modify the string (or modify the form) to send a message other than the intended.

If the body of the message would not change, or only change based on the type of user, (ie guest vs admin) or perhaps if the message was based on the record, then some hardcoding could be done within the sub and not within the form.

Any other security measures are pretty much beyond me.


Joe

Thanks for the advice, Joe. I modified your idea and it seems to be working okay. I changed it to

<input type=hidden name="emailmessage" value="$in{'email_message'}">