Send Form Action

Anyone using this with Freeway 7?

I use Easyform (I think, Iā€™m away from home until the weekend, so I canā€™t check.) is that the same thing?
Geoff

SendForm is built into Freeway 7 (and it may have landed before that, but itā€™s been a long time and I donā€™t recall the dates very well). It has a number of improvements over the older PHP Feedback Form Action, including a more modern coding style in its generated PHP helper that allows it to run under much newer versions of PHP without having to suppress warnings or errors. If you are building a new contact form from scratch, it should be pretty easy to apply, and it should work okay with fairly modern PHP versions. Thereā€™s a section in the built-in manual regarding its use.

However ā€“ and this is a big however ā€“ modern SPAM filtering techniques have evolved to the point where getting your mail delivered consistently if you are sending directly from some random shared hosting Web server is no longer a matter of being a good citizen and following the rules. The server you are using to send the mail needs to be ā€œblessedā€ by your domain records and also not on any of the ā€œreal-time block listsā€ out there. If you are using a shared server, or even a virtual private server from a provider like DigitalOcean or Linode, the odds are good that the IP address of your server has been flagged by a previous user who was either hacked, or was actually up to no good. Once your IP address becomes entangled in this way, it becomes almost impossible for you to send mail to anyone with a Gmail or Outlook account, because your message is trapped as SPAM and never released.

The modern way to send mail is to use a service that specializes in whatā€™s called ā€œtransactional messagingā€, like SendGrid or Amazonā€™s SES. And that requires that your sending script on your site creates an authenticated connection to that serviceā€™s SMTP server. SendMail (and all the other Actions that preceded it) do not do that and canā€™t be made to do it the way they are written.

This is a very hard problem from the perspective of a ā€œmake it easy to configure in my static siteā€ solution. As a long-time Action developer, I struggle to think how I could write something that would abstract away the genuinely hard work of establishing an account with one of these services, providing credentials in a way that would not get your account hacked (a real problem on a shared server), and then giving you the tools to figure out if it was working correctly.

If you use one of the many (paid) form hosting services out there that cater to the static site crowd, then your form will end up in an iframe on your Freeway page, which will work, but will take away a lot of the styling and layout control that you rely on Freeway to provide.

Walter

1 Like

Yes, Iā€™m trying but have problems with send form in Freeway 7

If you have a link to your attempt, I can take a look at whatā€™s happening. In order to see the PHP code that Freeway (and the Action) is generating, youā€™ll need to post that somewhere like GitHub Gist or another ā€œpaste binā€ service ā€“ by design, PHP code doesnā€™t leak out to the world when it is hosted by your Web server.

Look through your Site Folder, and find (perhaps in the Resources folder?) a file named similarly to your contact formā€™s html file but with a .php file-type extension. This will have been generated by the Action during publish, so it will only exist after you publish from within Freeway. Open that file with a plain-text editor like TextMate, BBEdit, or even the free TextEdit that comes with Mac OS . Copy all the text, open a new browser window to Gist or whatever paste service you prefer, and paste the code into that interface. Give it a name that ends in .php, and the syntax highlighting colors will even be correct!

Save that paste, then copy and paste the URL of the resulting page here. The beauty of this is that once I (or maybe Simon from Softpress) look at that code, you can take it down entirely, and it wonā€™t hang around for study by the various bot-makers that specialize in trying to break into servers. Alternatively, if this all seems like too much effort, Softpress do accept file attachments at support (at sign) softpress (dot) com. I wonā€™t be able to see it, but Simon will, and he wrote the current Send Form Action, so he will probably understand its output even better than I would.

Walter

Iā€™ve more on forms in Freeway. My web host has emailed this message:

Weā€™re writing to remind you that, as part of our commitment to providing a reliable and secure service, we will be retiring the following PHP versions from our hosting plans throughout July 2022:
*PHP 5.3, 5.4, 5.5 *
PHP 7.0, 7.1, 7.2
You will need to update your PHP version to the highest version available . As a minimum, this will be either version 5.6 or 7.3 .

I use a number of PHP easiForm actions on various websites, linking the pages from my Xway sites, and I really canā€™t afford to lose this facility. Is there a way of updating easiForm that doesnā€™t require coding etc? I donā€™t even know what version Iā€™m using now!
Thanks
Geoff

I donā€™t have a good suggestion for you regarding EasiForm. The whole ā€œEasiā€ suite was a commercial operation, which subsequently stopped trading. The developer and I had many discussions over the years (long ago) and while I tried to convince him that closed-source was a dead end in this area, and that he had a moral obligation to give back since he was using the open-source side of Actions coding for his own gain, he never agreed with me. And he eventually gave up supporting the products.

The code for these Actions was never released in public anywhere, as far as I know. You can try looking inside the Actions (which are just text files under the hood), but if they are encrypted, nobody except Softpress can decompile them. (You will be able to tell immediately if they are encrypted because while they will open in a text editor, like the free TextEdit that comes with Mac OS, there will not be a single human-readable word in the entire file. In contrast, regular Actions are written in a mixture of XML and JavaScript, which while it may not be comprehensible, is at least readable in the sense that it is made up out of words.)

If you want to avoid coding, youā€™re going to have to make a choice here.

On one side, you can use one of the many (paid and occasionally free) form handling systems that cater to ā€œstaticā€ web sites. Iā€™ve posted links to these here in the past. These will usually be very low-drama for you: paste a line of code in a markup item inserted into your page, and the entire form and its handler will spring into life. You lose all control over how that form looks visually, but if thatā€™s not as important to you as getting the input from the form, then you should be done.

In the middle, you could design a form that sends to a Google Sheet. Youā€™ll need to create the sheet, set it to public write, and then export the form to fill it from within Googleā€™s interface. Once you have that, you will need to open it in a text editor, read through its code enough to figure out what the Action of the form needs to be (it will be some hideous long hash-like address in Googleā€™s cloud somewhere) and what to name each of the form fields. Making those adjustments to a Freeway-designed form will be fairly simple, once youā€™ve read through the HTML Google gave you a few times, and un-crossed your eyes. Itā€™s not exactly ā€œnot codingā€, but itā€™s as close as I can get you for free.

On the other side, you may want to hire a programmer to write a form handler for you. If the look and feel of your forms is an important part of your brand, then this is what I would recommend.

Walter

Thatā€™s very useful info Walter, thanks for taking the time to explain it.
Geoff

Youā€™re welcome. I left out one other option, and that is that Simon Manning might update the Send Form Action and release it separately from Freeway. The built-in Action in Freeway can be overridden by manually-installed Actions of the same name but a higher version number, so thatā€™s not out of the realm of possibility. (@simonmanning if youā€™re following this, please let me know if thatā€™s possible or not.) I havenā€™t tried to run the output of Send Form in PHP 8, so it may not need anything at all, but I canā€™t even try because I no longer have any Macs that will run Freeway.

But there is another issue with any such form handler, though, and thatā€™s authentication through DKIM and other anti-SPAM measures. The way that this Action works (and the PHP Feedback Form before it) is that it sends the mail message directly from your Web server, through PHP and the sendmail SMTP service on (nearly) every Web server. Your hosting provider most likely uses a single server (with a single IP address) as the host for a very large number of domain names. It is exponentially harder to configure that server as authoritative for your domain (in the e-mail server sense) when it might also be sending mail for countless other domains as well.

Gmail and other big commercial mail hosts require that a sending server be authenticated as a ā€œrealā€ mail server for your domain before they will even begin to entertain their various Bayesian filters with your message and decide whether or not to forward it. Such authentication is not easy to get or maintain, and so the world of ā€œmail servers that can send mail that other people donā€™t drop on the floor or flag as spamā€ has shrunk quite a lot.

When I build mail services for clients, I have them get an account at SendGrid and set up an API key there to authenticate the messages I will send from the application Iā€™m building. SendGrid is in the business of sending mail, and they employ people whose only job it is to keep their servers off the various real-time-ban-lists out there. They actively police the uses that their customers put their network to, and kick anyone off who might be causing trouble. Your hosting provider very likely doesnā€™t work that hard ā€“ very few do.

When I configure a Ruby on Rails Web application to use SendGrid as its SMTP service, I add that API key to the configuration block, and that tells my server to send authenticated mail to SendGrid, who then forward it on from their squeaky-clean mail server to the actual addressees. Google and Yahoo and Outlook donā€™t bat an eye. The mail just goes through.

Like most things that have to do with computers, sending e-mail is more complex and confusing the closer you look at it. (Kind of like that old joke that begins ā€œHow long is the coastline of Wales?ā€)

Walter

Send Form wonā€™t currently work with PHP 8. Itā€™s on my list to deal with this in the near future, itā€™s a pretty minor change for a renamed constant - use one or the other depending on availability.

As the rest of your message points out, email is hard. For Discourse here, we use Mailgun in much the way youā€™ve described using SendGrid yourself and I have plans to move the main website away from sending emails directly from the server. (Via Mailgun with a different subdomain.)

That said, a lot of those concerns do somewhat go away in the context of Send Form and other contact forms. Since the goal is for visitors to be able to submit a form and have that delivered to a specific address, you know where your server will always be trying to send the emails and you have access to test whether it does so successfully.

Itā€™s not without potential pitfalls but generally SPF soft fails, likely default if mail isnā€™t set up on the domain, will be allowed through as long as itā€™s not come from a blacklisted server.

Ha! I have a very old site, that I need to update for one little thing ā€¦ I come here to see if I can find anything and top of the list is ā€˜Send Form Actionā€™. Exactly what Iā€™m looking for!

Send Form is working fine for me, but I need to add an ā€˜Agree Conditionsā€™ checkbox or popup of some sort. Is there an Action that could do this for me? If not, can anyone give me some pointers about how I could add it to the page?

(As an aside ā€¦ any way of protecting a Send Form address from spammers?)

Grant

(Hi Walter!! Itā€™s been a few yearsā€¦ hope youā€™re well)

Hi Grant,

The latest version of the Send Form Action has a captcha option. We used this to cut down spam from the Softpress website and it seems to work pretty well. We still get a small amount of spam, but itā€™s less overwhelming:

Perhaps @waltd or @simonmanning can answer your other questions.

Hi Jeremy,

thanks for the reply.

Iā€™m using the CAPTCHA vs, but I got a great demonstration today, of how ineffective it may beā€¦ I changed the email address for the form to a newly created unique address. Less than 5 minutes later a spam arrived. So I guess it was either by chance that they were trawling by at that time, or perhaps any change triggers their scraping (itā€™s a static site, in that, nothing changes).

Thereā€™s another angle to this problem. Sometimes what these scripted attacks will do is capture a copy of your form as it existed on a particular day or time, and then use that as the source of the repeating spam attack, rather than mindlessly filling out your form on your server using JavaScript or similar. If your form handler is sensitive to that sort of thing, it will reject it outright. (Rails-based forms use a cryptographic signature key that is different on each load of the form, and only works for a short period of time.) If your form handler is written to recognize which fields are in the form (the old PHP Feedback Form did this) then such an attack will not succeed if there are new fields required by your handler and the old copy of the form doesnā€™t contain them. Itā€™s been a while since I looked through the source of the Send Form Action, so I canā€™t be sure if it would be prey to these sorts of memorization attacks or not, but if it was written in a generic manner (such that the handler would work with any form), it might be.

Walter

Iā€™m using CAPTCHA, so from the reaction time, of changing the email address to receiving a new spam, Iā€™d guess itā€™s not being done by an underpaid human-being. So I assume that the email address is legible (harvestable) in the html? Any way to hide it that can still work with Send Form?

Hi Grant,

What is the address of your form? Do you see an email address if you look at the HTML?

The way that these form handlers work (normally) the address they are sending to is NOT in the HTML of the page. Itā€™s in the PHP, as a programming instruction, and those do not leak to the public unless something else has gone dreadfully wrong with your server.

If you did something clever, like a picking list of ā€œSalesā€, ā€œMarketingā€, ā€œTech Supportā€ with actual e-mail addresses in there as the field values, then I could see this happening, but that doesnā€™t sound like you have done using the Action as documented.

Walter

1 Like

We currently get around 3 to 6 spam messages a day through the Softpress contact form, but it was very much more than this before we added the captcha.

My assumption is that people are actually sitting there clicking on pictures of traffic lights (or whatever) in order to send an email that hardly anyone will ever see, and which will be instantly deleted by whoever does see it (mainly me). Iā€™d guess they are paid in peanuts.

My guess tooā€¦ just amazing that it was so quick after I changed the email to a new unique address. Literally less than 5 mins. (Long ago I switched to unique addresses for everything except work contacts. Apple seem to have cottoned on to the concept too :sunglasses::blush:).

Could they have an automated alert when a site changes an email address or when a page is edited??

Iā€™ve searched the code in Safari but canā€™t find the address, which is now ā€˜contactus@ā€™ + the domain.

This is on my wifeā€™s website for her business.

Have you had much spam since then? I donā€™t see any email addresses (including obfuscated email addresses) in the HTML.