When I needed to do this, I basically created a PHP page called 'send2friend.php' which relied on a variable being carried over, in this case the page name that I'm on. As i was only doing this for 3 pages, I thought it easier to manually code the html to do so, I then used open.window to open a popup with that page and the url passed.


My send2friend page looks like

[php]
<?
// Send to friend script.. This page will send the given link to a friend
// Carl Pickering - Line3 Internet

// Quick and dirty hack to get a full URL.
$tPAGE = $_GET['page'];
$PAGE = "http://www.domain.co.uk/" . $tPAGE . ".php";

// Send the details
if($_POST['action']=='send') {

// define some variables first
$send_to = $_POST['f_email'];
$y_person = $_POST['y_name'];
$y_email = $_POST['y_email'];
$f_name = $_POST['f_name'];
$subject = "Interesting Link from - $y_person";
$thank_you ="We have passed on the page to - $f_name";

// Build the message
$message = "Hi $f_name ,\n\n";
$message .= "I found this page, and thought it might be of interest\n";
$message .= "Link: $PAGE\n";
$message .= "Let me know what you think, $y_person\n\n\n";
$message .= "You were sent this email because $y_person <$y_email> thought it might be of interest. We do not keep your information";
$mailheaders = "From: $y_person <$y_email> \n";
$mailheaders .= "Reply-To: $y_person <$y_email>\n\n";

// Simple but basic.. Now send the email
mail($send_to, $subject, $message, $mailheaders);

print(" <script language=\"Javascript\"> alert('$thank_you'); </script> ");
print(" <script language=\"Javascript\">window.close();</script> ");
}
?>
[/php]
My form code (change as needed)

[php]
<form action="<? $_SERVER['PHP_SELF']; ?>" method="post" name="send2friend" id="send2friend">
<table width="400" border="0" align="center" cellpadding="0" bgcolor="#FFFFFF">
<tr bgcolor="#FFFFFF">
<td colspan="2"></td>
</tr>
<tr bgcolor="#FFFFFF">
<td colspan="2">&nbsp;</td>
</tr>
<tr bgcolor="#FFFFFF">
<td colspan="2">Found something that a friend might be interested in? Fill in the information below to notify them of what you found. </td>
</tr>
<tr bgcolor="#FFFFFF">
<td colspan="2">&nbsp;</td>
</tr>
<tr>
<td width="30%">Friends Name:</td>
<td width="50%"><input name="f_name" type="text" id="f_name" size="25" maxlength="60"></td>
</tr>
<tr>
<td>Friends Email:</td>
<td><input name="f_email" type="text" id="f_email" size="25" maxlength="64"></td>
</tr>
<tr>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>Your Name: </td>
<td><input name="y_name" type="text" id="y_name" size="25" maxlength="60"></td>
</tr>
<tr>
<td>Your Email:</td>
<td><input name="y_email" type="text" id="y_email" size="25" maxlength="64"></td>
</tr>
<tr>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>Page to be sent: </td>
<td><? echo "$PAGE"; ?></td>
</tr>
<tr>
<td><input name="action" type="hidden" id="action" value="send"></td>
<td>&nbsp;</td>
</tr>
<tr>
<td>&nbsp;</td>
<td><a href="javascript:document.send2friend.reset();">Reset</a><img src="images/read_1.gif" alt="" style="margin:0px 5px 0px 30px;"><a href="javascript:document.send2friend.submit();">Submit</a></td>
</tr>
</table>
</form>
[/php]

What effort have you made thus far? Do you need help with the design, coding, or do you just want us to do the work for you?

Really thanks "cpickering"

and thanks for ur comment "Puckdropper", i just want toindicate that i am not professional with php or java, but i do my best, i just use the dreamwaver to do my site, and i hope to get the experiance from u?, do u wellcome???

Not to nag you or anything, but you should be concerned about user input validation if you don't wanna your form to be abused.

I do run validation on the forms I use, but I didn't post any with the example I use.
Didn't wanna overload the script, also gives the user the chance to learn from others scripts. No point in doing all the work for them :lol:

Personally, i run strip_tags() and form validation via php if a complex form, and js if a simple one

thanks for the heads up tho

I see... hmm... what do you mean by a complex form? Any form should be validated server side doesn't matter how complex it is. JS validation is just for the user convenience and cannot replace the php validation, for it can be turned off.

Also, strip_tags() is not quite enough. The most important thing is email validation, especially of those emails you put in the headers (ex. from email). Nothing stops them from entering, for example: bcc: someemail1@email.tld, someemail2@email.tld, .... thus using your form for spamming.

Complex form:

Forms that contain a lot of required information, and where the email address (if needed) is required and needs to be a proper address.

When building said form, take the email address, check the mx to confirm it is a real domain. That could be extended onto the check email account by running a TCP connection to the MX server and running 'mail to:'. I haven't got that far yet if I'm honest.

If the form, is just 'username and email' say to sign up to a mailing list or something, simple JS validation of 'You haven't entered an email address' is enough.

To overcome the injection of someones own form variables; I run a check on the form elements I allow. confirm they are posted, and disgard any others. I also don't allow any URI strings to be passed.

All be it im not the best PHP coder about, but I'm learning and trying new things and so far *touches wood* I've not been the subject of any form screw ups yet.

I don't think any form, is 100% secure, but it is as secure as you make it, or attempt to

Well, it is not really so necessary to check if the email really exists. What I mean is using a simple regular expression to check if the email is of a valid form and thus there are no malicious attempts possible (bcc, cc, etc.). The main concern when dealing with email sending is spamming.

As far as the login forms, yes, I agree that simple js validation for empty fields is enough. But that's only assuming you do validate the input and don't just pass it directly to your queries (sql injection).

Overall, there are 2 main things that concern web application security:

• Always validate user input
• Always validate application output

Keep that in mind when developing and your application will have no major security issues.

Thanks for the advice, its been noted