E-mail address links to the contact_form/formbuilder

[Vin]

Hello,

I know I can use contact_form for a simple e-mail form or formbuilder module for one which has an option for selecting another possible receiver of e-mail (via the pre-defined subject). However, that's not quite I'm looking for. I'd like to have:

• E-mail addresses as links to the form (probably as forms with hidden inputs conaining unique identifiers),
• which would be obfuscated by javascript(something like already existing e-mail tag)
• and which, of course, can't be misused in any way (script/html injection or-how-exactly-it-is-called)

I think it could be done with the help of the database for e-mails and tweaking the contact_form and e-mail plugins, but I just wonder if anybody knows a better solution (or have it done already). Thoughts?

[heatherfeuer]

I think if I were to do that, I'd create the form(s), then where you have, say, the person's name, use a {cms_self_link} (I think that's how it's called) to link to the particular form.  To keep the email address hidden from bots, try and define a variable ($mail_to) for the email inside the script.  That way you can reuse a particular script, just setting the variable equal to different people's email. 

Bots looking through source code shouldn't be able to pick up the email address, but I can't say that for sure.  Someone else more knowledgeable about PHP might be able to help you there.

[Vin]

Thanks for response, but I'm afraid this wouldn't work.
Basically, there are two problems:
a) The spambots sniffing for the e-mail address. I decided to just obfuscate the e-mail address with Javascript, so that screen-readers don't have problem reading it.
b) Script/HTML Injection. AFAIK, contact_form is secure as for headers forgery (sorry for the language - meaning you can't forge the addressee in the text input). But if I want to send an e-mail by clicking on the link-address, I need means for sending an information which one of the addressee to choose! And I can't use e-mail address, even if it were separated - there's a danger it could be misused by a hostile form which would forge the addressee again. The risk can be lowered by obfuscating the parts of e-mail addressees, but this is not 100% secure.
I can accept getting spams, cause a) can't be avoided completely, but not allowing the abuse of the contact_form (b)).

The safe way consists of creating a list of addressees in the database and using the primary key number as the means which one of the addressee in the list to choose - the link would hand this number to the contact_form script, which would connect to the database.

However - how to implement it in the site admin? Create a UDT, which would search the database for the e-mail addressee (given by the smarty tag from the user) and if not found, it should create the one? Looking like a good solution, but it has some disadvantages - the worst would be a lot of queries if there are more e-mail links on one page. Another would be to implement a drop-down menu in the content » pages » update page, which wouldn't slow the performance on the frontpage. On the other hand, hacking the admin is something I doesn't like very much...