Sending mail via your hosting company's mail script

Sending via provider's mail

This has long been a tough - or almost impossible - thing for two reasons:

Macromedia's security policy does not allow you to send to a "foreign" server, i.e. one whose url looks different from yours.
Now, if you do not have your own scripts, this could be something like
- www.yoursite.com/movie.swf for the movie and www.yoursite.com/cgi-sys/mail.cgi
- www.yoursite.com/movie.swf for the movie and www.provider.com/cgi-sys/mail.cgi
- www.yoursite.com/movie.swf for the movie and www.provider.com/yoursite/cgi-sys/mail.cgi
In either case the cgi file would be out of your reach and still on the same physical server, however sending would only be possible in the first case.
In the age of spam, hosting companies do not want that their mail scripts can be used by third parties to send spam. Since the mail might be attributed to you, you might not like that yourself, either.
One way to add miminal spam protection is to require that the from data sent from the movie to the script have a valid referrer (i.e. the referrer domain name must be a domain hosted by that server) - this system is used by the common Formmail.
Some ranting: real spammers probably would not create their own html form with an extra "recipient" field and fill in ten thousands of addresses manually - and if they are using a script to feed some innocent formmail, it is quite easy to fake the referrer as well.
The system does however prevent html-savvy users from creating a mailform that uses some hosting company's mailserver
Unfortunately Ineternet Explorer does not send a referrer with requests from the flash player at all - other browsers do
The other approach (and the recommended one if you can use your own scripts) does not send the recipient along with the request data but hardcodes it into the script
Either approach would normally require that data are sent to the script via the POST method ... and have valid reasons to do so.

Now, to overcome both difficulties, it should be a html page that sends to the mail script rather than the flash movie. In order to use POST method, it specifically should be a html form.

Here is sample html code and matching actionscript - read here for details about the code:
HTML form

<title>My example website</title>
<script>
//
// this code copyright Musicman
// license: GPL
// to read the gory details, visit www.fsf.org/copyleft
//
// copy this code as is
function myunescape(inp)
{	var n, c;
	var out = '';
	for(n = 0 ; n < inp.length ; )
	{	c = inp.charAt(n);
		if(c == '_')
		{	out += unescape('%'+inp.substr(n+1, 2));
			n += 3;
		}
		else
		{	out += c;
			n++;
		}
	}
	return out;
}
// adjust this code to reflect all the data fields in your movie
function sendit(name, mail, subj, mess)
{	document.forms.sendit.realname.value = myunescape(name);
	document.forms.sendit.email.value = myunescape(mail);
	document.forms.sendit.subject.value = myunescape(subj);
	document.forms.sendit.Message.value = myunescape(mess);
	document.forms.sendit.submit();
	return false;
}
</script>
<body bgcolor=white>
<form name=sendit method=post action="http://www.wallflowerproducts.com/cgi-sys/FormMail.cgi" target=_blank>
<input type=hidden name=recipient value="girls@wallflowerproducts.com">
<input type=hidden name=realname value="">
<input type=hidden name=email value="">
<input type=hidden name=subject value="">
<input type=hidden name=Message value="">
</form>
<embed src="form.swf" width=600 height=400>

the actionscripts
place this code into frame 1 of your movie (if you are using a movieclip or layer for the contact form), place it there:

a = ord('a'); z = ord('z'); aa = ord('A'); zz = ord('Z');
dig0 = ord('0'); dig9 = ord('9');
function myescape(inp)
{	var out = '';
	var ch, cod;
	var hexc = '0123456789abcdef';
	for(var n = 0 ; n < inp.length ; n++)
	{	ch = inp.charAt(n);
		cod = ord(ch);
		if((cod >= a && cod <= z) || (cod >= aa && cod <= zz) || (cod >= dig0 && cod <= dig9))
			out += ch;
		else
			out += '_' + hexc.charAt((cod >> 4) & 15) + hexc.charAt(cod & 15);
	}
	return out;
}
stop();

place this code on your send button - adjust according to your data fields:

on(release) {
	getURL('javascript:sendit("'+myescape(realname)+'","'+myescape(email)+'","'+myescape(subject)+'","'+myescape(Message)+'"); void(0)');
}

Of course, if the send button is in a different clip as the form fields, make sure to use proper paths.

Datails:

This code is opening a new browser window, as big as the current one. If you do not want that, you can either

send the output to a specific window:
```
win = window.open('', 'xyz', 'width=400,height=200');
setTimeout('document.sendit.submit()', 1000);
```
This will delay sending two seconds after the new window is created. Use 'xyz' as the form's target.
send the output to a small (rows=0 or similar) frame

For testing proper targetting, replace the button code by something like

on(release) {
	getURL('javascript:alert("'+myescape(realname)+'"); void(0)');
}

or even

on(release) {
	getURL('javascript:alert("'+realname+'"); void(0)');
}

if the second one shows a result, but the first one fails, myescape was not found. If either does not sho a result, the textbox was not found.

How does it work - what is myescape()?

Consider this button script (simplified from the above one):

on(release) {
	getURL('javascript:sendit("'+realname+'","'+email+'","'+subject+'","'+Message+'"); void(0)');
}

This actually constructs a short program like

sendit("john foo","foo@foomail.com","test","this is a multi-line
test message")

and sends it to the browser. Quite obviously, the browser will not like the line break here - if you see a message, the browser will complain about an incomplete string or such.
Similarly, it would not like quotes within your message, as the also mess up the program

Next attempt - using the builtin escape() and unescape() functions. The new "program" sent to the browser would read:

sendit("john foo","foo@foomail.com","test","this is a multi-line%0Dtest message")

Now, one browser actually passes the string with the %0D part to the script, and the script faithfully decodes it. Other browsers decode the %0D while reading the program text, and again see a broken line.

Final solution: myescape does exactly the same thing as escape but uses the underline instead of the percent sign to denote escaped codes, and consequently myunescape turns them back.

Please feel free to report any problems, e.g. if you find out that browser x on os y with flash player version z does truncate messages longer than 10000 characters.