Within a day of upgrading to Expression Engine I started getting spam on my contact email address.  The reason for this is that unlike in the old weblog I’d put a live “mailto:” link in the “Contact” part of the page header.  I could have used some Javascript to obfuscate the address to keep it from being harvested, but I’ve always resisted using Javascript when it could interfere with the site’s function if it is disabled.  I know that the majority of web designers hate it when they can’t use Javascript, but I’ve been strongly affected by my company’s guidelines concerning Section 508 compliance for web sites (i.e. disabled access).  One of the core rules is that you can’t use Javascript for “essential tasks” unless there is an alternate method for performing the task.  If Javascript is disabled, the site should degrade gracefully.  Accessibility is one reason why I’ve never enabled ‘CAPTCHAS’ for my comments section.  It’s also why I despise websites that use Flash for their core pages.  It’s OK for special content or presentations, but for basic site navigation and presentation it blows chunks (not only does it interfere with assistive technology, you can’t do freakin’ bookmarks).  While I haven’t bothered to run the site through an accessibility scanner, I try to use valid XHTML in all of my posts as well as in the templates.  But I digress . . .

While Expression Engine has a contact module, it seemed like a nice little diversionary programming task to write my own contact form.  My requirements for the contact module:

1. Must not reveal the email address on any part of the HTML that is generated for the form (to prevent spammers from harvesting the email).
2. Must not accept an email address as a parameter (to prevent spammers from relaying through it).
3. Must support invocation from multiple parts of my site with different destination addresses for each one (i.e. I have different contact addresses for my gun show listings than I do for my guns or my weblog).

Along the way, I also decided I wanted to be able to use it as a pop-up window and use CSS for formatting.  Invoking it as a pop-up window involved a bit of Javascript, but it degrades well when Javascript is disabled and displays the form in the original browser window.  As I was coding, I realized that it might be useful for other people to use on their sites, especially if they didn’t have Expression Engine.  So I made sure that all configuration and customization fields were in a single file, which is separated from the code.  In addition, all of the strings used to build the form are in arrays at the top of the code module, to make future enhancements for translation easier.  The script is in use right now and you’ll see it if you click the “Contact” link in the header of any of my Expression Engine pages.

If anyone wants to use these scripts, they can be downloaded here:

• contact.tar.tz (Tarred, Gzipped)
• contact.zip(Zipped)

These scripts require PHP, but shouldn’t need any additional modules. 

Installation
Note: If you only have FTP access to your server (my condolences), you’ll need to extract the archive on your system and then upload the files after making the changes I give below.

1. Upload the files to your server and extract the archive/zip file to the directory where you’ll be running the script.
2. Modify continfo.php as follows:
      
   • Modify “$contacts” to specify the public target name along with the email address associated with it.  You can have as many targets as you like, although only one is accepted per invocation.

      

   • Modify “$base_url” to be the web accessible URL of the directory where the script will be invoked.  It must end with a “/”.  (Example: If the script will be at “http://www.yourdomain/your/directory/contact.php”, then you’d put “http://www.yourdomain/your/directory/” here).

      

   • (Optional) Modify “$page_title” to be the title you want to use for your contact page.

    

Invocation/Usage
When invoking the script, you must specify one of the targets you used in the “$contacts” array in continfo.php.  This is done using CGI GET parameters.  Using the example URL from the installation section, and assuming you created a target called “mycontact”, you’d invoke the script by calling “http://www.yourdomain/your/directory/contact.php?target=mycontact”. 

The CSS and the HTML assume that they’ll be used in a 600×600 pop-up window.  To invoke them in a pop-up, you’ll need to use some Javascript on the invocation (if Javascript is disabled in the browser, the pop-up code is ignored and the script opens in the current window).  Here’s a sample:

<a href=“http://www.yourdomain/your/directory/contact.php?target=mycontact” onclick=“OpenContactForm(this.href); return false”>Contact</a>


You’ll also need the Javascript function “OpenContactForm”:

function OpenContactForm(c)
{
window.open(c,
'contact',
'width=600,height=600,scrollbars=yes,status=yes');
}


Further customization
You can customize the colors and page formatting by editing ‘contact.css’.  The text that is displayed on the form is all contained in arrays at the beginning of ‘contact.php’.  You can rename ‘contact.php’ to anything you like.  You can also rename ‘contact’.css’, but you’ll need to edit ‘continfo.php’ to tell the script the new name of the CSS file.

Warning
This code is released ‘as-is’, so you use it at your own risk.  This script doesn’t use any kind of user token, so it is vulnerable to DOS attack if someone took the time to understand the parameters in the form and write another script to post the form over and over.  The attacker could not cause the script to send email to arbitrary addresses (without cracking the server, but you might have bigger problems if that happened).  Instead, the attacker would end up flooding the inbox for the selected target address.  The Expression Engine contact module uses a form of user token (in fact, all of their modules that generate forms have this built-in), so you’re better off using the EE module if you have that.  This script isn’t likely to be modified to fix this problem, since it would require a database to fix it right, and I didn’t want to make this script any more complicated than it is.