Sorry to post another mail question, but...here it is.

The "All-To-Familiar" Statement: "I am having problems sending mail with PHP!" More specifically, I am getting two emails, both from "Nobody", the first contains my headers, the second contains my HTML mail, with <body>, <html>, etc, totally visible.

Scenario:
I have a series of forms that create a bid estimate based on user input (obviously). The forms use POST variables through 3 pages, at the end, I take all of the input items, add some, multiply others and mail it to the site owner and the form-filler-outer. Here is my code:

<?php
//POST VARIABLES
$recip = $_POST["recip"];
$company = $_POST["CompanyName"];
$contact_name = $_POST["ContactName"];
$phone = $_POST["Phone"];
$email = $_POST["Email"];
$NoH = $_POST["NumHoods"];
$app[] = $_POST["Apps"];
$app_total = $_POST["AppTotal"];
$total = $_POST["Total"];
$story = $_POST["StoryCost"];
$fan_cost = $_POST["FanCost"];
$hood_cost = $_POST["HoodCost"];

$to = $email;
$to_full = $contact_name;
$from = "notmyrealemail@sample.com";
$from_full = "Business Formal Title";
$subject = "Your Requested Estimate";
ob_start();
?>

To: <?php echo($to_full); ?> <<?php echo($to); ?>>
From: <?php echo($from_full); ?> <<?php echo($from); ?>>
MIMI-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

<?php
$headers = ob_get_clean();
ob_start();
?>

<html>
<body>
<?php

echo "Custom Estimate For: ".$company;
echo "Estimate Total = $".$total;
echo "Appliances\n";
if(sizeof($appliances) == 0)
{
echo "No appliances listed";
}
else
{
foreach($appliances as $app)
{
echo "Appliance --".$app."\n";
}
}
echo "Number of Hoods: ".$NoH."\n";
echo "Thank you for your interest in This Fabulous Company\n";
echo 'Copyright &copy; 2007 <a href="http://www.notarealdomain.com/">Super Awesome Company</a>\n';

?>
</body>
</html>


<?php

$msg = ob_get_clean();

$ok = @mail( $to, $subject, $msg, $headers );

echo $ok ? "Mail Sent\n" : "Mail failed\n";
mail($to,$subject,$message,$headers);

ob_end_flush();Any help would be GREATLY appreciated. Thanks!

_aA

Two calls to mail():

$ok = @mail( $to, $subject, $msg, $headers );

echo $ok ? "Mail Sent\n" : "Mail failed\n";
mail($to,$subject,$message,$headers);

Also be careful of spammers being able to hijack the script. If any of the post variables destined for the headers contain a newline then you should reject the input.

And to set the from address you may need a 5th parameter "-fyouremail@yourdomain.com" if using sendmail.

Thanks for your response zemm, I appreciate it.


Two calls to mail():

DUH!!! I am an idiot (or I have been staring at this script for too long!). I took the second call out. Here is the email I receive though (all of this is visible in Outlook):

To: Contact Person <fake@sample.com>
From: Reputable Business <fake@sample.com>
MIMI-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"\n
Content-Transfer-Encoding: 7bit

<html>
<body>
Custom Estimate For: Fake CompanyEstimate Total = $1010Appliances: <br />
No Appliances Listed<br /> Number of Hoods:
Thank you for your interest in This Awesome Company &copy; 2007 <a href="http://www.fakewebsite.com/">Reputable Company</a>\n</body> </html>


If any of the post variables destined for the headers contain a newline then you should reject the input.Could you elaborate a little here.


And to set the from address you may need a 5th parameter "-fyouremail@yourdomain.com" if using sendmail.Where would that parameter go (beginning, middle, end...)?

Thank you again!

_action

Could you elaborate a little here.

The script as it is currently is susceptible to header injection attacks. The way mail works is Headers (each header separated by a single new line), then a blank line, then the message. If someone inserted their own newline in the "Email" POST variable (or one of the others) they can then insert their own headers (eg to mail to other people) and even their own content (eg for their spamming words/URLs).

See http://www.securephpwiki.com/index.php/Email_Injection#What.27s_the_point_of_injecting_em ail_headers_.3F for some information on this issue.


Where would that parameter go (beginning, middle, end...)?

It's the 5th parameter (last). See the PHP manual. http://php.net/manual/en/function.mail.php

This is really only necessary if the From is overwritten by the MTA on the webserver. (eg my dev box always send emails from PHP "From" "apache@devbox" even after setting everything (ssmtp) but our production website is hosted on mediatemple and it works properly)


After all that, HTML email is almost impossible to do well as Outlook (or more accurately Word) completely stuffs up the rendering standard HTML/CSS. For simple email outs like this I tend to just use plain text (Outlook sometimes stuffs them too though).