Does Flash? | AS3 Blog

• Tweet
• Share

• Tweet
• Share

AS3Mailer is an open source library that allows to easily send emails from Flash using a server script or mailto link. Some of you might remember me posting this a while back and then quickly removed it. Well, yes I did to that, reason being that it needed more security. The new security implementation will prevent anyone from using your mail script, while only requiring minimal “work” from you. Let’s jump in:

Current Server Implementations:

• PHP – https://github.com/Matan/AS3Mailer/blob/master/src_server/mail.php

Public API:

On construction of an AS3Mailer instance you can pass two parameters:

• secretWord – Used for security, see security section below.
• scriptURL – URL to your script location.

Note: If scriptURL is not set, AS3Mailer will invoke a mailto link instead of calling a server path. This mailto link will include all your values passed/set.

The following public variables are available:

• from – The sender’s email address.
• subject
• message – messageURL will be ignored if message is set.
• messageURL – Flash or server loads the message body before sending email or invoking mailto link.
• mimeVersion – Default is “1.0″.
• type – “text/html” or “text/plain”. These are available as public static constants e.g. AS3Mailer.TEXT_HTML.
• charset – default “utf-8″.
• scriptURL – Can be set via public property or constructor.

The follow public functions are available:

• setFrom(address : String, name : String = null) : void – Sets the from address, but nicely formatted e.g. “Name <name@domain.com>”.
• addRecipient(address : String, name : String = null, type : String = “to”) : int – Adds an email recipient using the same functionality of nicely formatting the address (just like the from address), also you can choose to which “recipient list” you want to add. Your options are: “to”, “cc” and “bcc”. These are also available as public static constants. This function also returns an integer, which is the index of the recipient in it’s respected list, useful if you intend to remove recipients later.
• removeRecipientAt(index : int, type : String = “to”) : String – Remove and return a recipient at a specific index.
• clearRecipients(type : String = “all”) : void – Clears an entire list of recipients or all recipients lists. Parameter options are the same as adding, but with the addition of “all”.
• send(from : String = null, to : String = null, subject : String = null, message : String = null) : void – Does exactly what it says, parameter values passed here will overwrite any set directly with their corresponding public variables.
• getFullAddress(address : String, name : String = null, braces : String = “<>”) : String – Helper function, just return a nicely formatted email address.
• isValidEmail(address : String) : Boolean – Helper function, validates an email address. Note: AS3Mailer does not validate any address passed, you need to validate before hand.
• getRecipientList(type : String) : Array – Returns the Array containing added recipients. Options are the same as when adding. Note: Modifying the Array will affect AS3Mailer.

Security System:

I’ve put together quite a simple little system, but this will spam bots from using your script maliciously. Parts of the information passed the server and your secretWord are added together in a certain way then SHA1′d and added to the request. The server script then then does exactly the same and compares the two, if the two match the request is validated and continues, if not the request is aborted. In this manner there is no need to protect your script behind a htaccess file or anything to the like, but if you want to make double sure, go for it.

Once you downloaded the distribution bundle, modify your server script by replacing the place-holder “%%–REPLACE_SECRET_WORD–%%” with your own secretWord. (PHP taken as an example as there are no other implementations yet!)

function securityCheck() {
    $firstToSplit = explode(",", getValue('to'));
    $toSplit = explode("@", $firstToSplit[0]);
    $firstHalf = strtolower(strrev($toSplit[1]));
    $secondHalf = strtoupper($toSplit[0]);
    $saltedKey = $firstHalf . "%%--REPLACE_SECRET_WORD--%%" . $secondHalf;
    $generatedDigest = sha1($saltedKey);

    return ($_REQUEST['digest'] == $generatedDigest);
}

Once you’ve done this you are ready to move back to AS3 (yeay!). When you construct an instance of AS3Mailer, make sure to pass in your secret word that matched the PHP’s one exactly. Also do not expose your secret word in any way! e.g. Loading a config XML file containing it (or any external file) or flashvars – right out! Don’t do it! Rather “hard code” it into the flash, then the only that someone can get the secret word is by hacking your server or decompiling your flash. But really, who is going to go through all that trouble just for a mailing script?

var mailer : AS3Mailer = new AS3Mailer("%%--REPLACE_SECRET_WORD--%%", "http://somedomain.com/mail.php");

If you intend to upload now, don’t! Read the next part first. We’re done with PHP side of things after that, promise!

Locking Values on the Server:

Part of the security systems is the ability to “lock” values. What I mean by locking is that the server script ignores values from the request and uses the manually set ones. Open PHP file again and scroll down to this part:

$LOCKED = array();
//$LOCKED['from'] = "";
//$LOCKED['to'] = "";
//$LOCKED['subject'] = "";
//$LOCKED['type'] = "";
//$LOCKED['mimeVersion'] = "";
//$LOCKED['cc'] = "";
//$LOCKED['bcc'] = "";
//$LOCKED['charset'] = "";
//$LOCKED['message'] = "";
//$LOCKED['messageURL'] = "";

This is how it looks at default, all you need to do is uncomment the parameter you want to lock and set the value. The script will then ignore the matching parameter coming from the request. E.g. For the example running on this page, I’ve locked the ‘from’ and ‘messageURL’ parameters.

The parameters ‘to’, ‘cc’ and ‘bcc’ are formatted in the same way the flash formats it. E.g.

$LOCKED['to'] = "Someone <someone@somewhere.com>, Any Body <anybody@anywhere.com>";
$LOCKED['cc'] = "copyme@thirdwheel.com";

Note: Comma separated email address with or without nice formatting.

Security Precautions:

If you are using your server to send emails, it is highly advised to lock the message and/or messageURL as this will prevent spam bots from injecting their message into your script. That’s if they managed to get your secret word.

Sample Usage:

Upload to your server and continue with your AS3 sweetness!

This sends an email by not passing any parameters through the send function and also loads the message body from an external html page. Note: The server will load the html page as the client computer doesn’t need to.

var mailer : AS3Mailer = new AS3Mailer("SECRET_WORD", "http://somedomain.com/mail.php");
mailer.setFrom("no-reply@doesflash.com", "Does Flash?");
mailer.addRecipient("some@dude.com", "Some Dude");
mailer.addRecipient("other@dude.com", "Other Dude", AS3Mailer.CC);
mailer.subject = "Test Mail using AS3Mailer";
mailer.messageURL = "http://somedomain.com/static-mail-example.html?";
mailer.send();

This sends an email by passing all values through the send function, including the message body.

var mailer : AS3Mailer = new AS3Mailer("SECRET_WORD", "http://somedomain.com/mail.php");
mailer.send("from@somewhere.com", "to@somewhere.com", "Dear Mr. To", "Hello Mr. To, how are you?");

This will invoke a mailto link as no scriptURL is specified.

var mailer : AS3Mailer = new AS3Mailer();
mailer.send("from@somewhere.com", "to@somewhere.com", "Dear Mr. To", "Hello Mr. To, how are you?");

Sample Application:

This was built with Flex 4.1 using FDT4. Source to this file is included in the distribution bundle, in fact everything is there. Update: Script has been removed due to lots of people simply pressing send on the test email address.

Conclusion:

Hope you enjoy using AS3Mailer! Here are some useful links:

• Github repository – Fork it!
• Distribution bundle
• ASDocs

As always, feel free to express your concerns or anything related! Thanks for reading!