The forums have permanently moved to forum.kirupa.com. This forum will be kept around in read-only mode for archival purposes. To learn how to continue using your existing account on the new forums, check out this thread.


Results 1 to 4 of 4

Thread: Another Mail Post

  1. #1
    actionAction's Avatar
    1,142
    posts
    humanBeing._beard=true;

    Another Mail Post

    Sorry to post another mail question, but...here it is.

    The "All-To-Familiar" Statement: "I am having problems sending mail with PHP!" More specifically, I am getting two emails, both from "Nobody", the first contains my headers, the second contains my HTML mail, with <body>, <html>, etc, totally visible.

    Scenario:
    I have a series of forms that create a bid estimate based on user input (obviously). The forms use POST variables through 3 pages, at the end, I take all of the input items, add some, multiply others and mail it to the site owner and the form-filler-outer. Here is my code:
    PHP Code:
    <?php
    //POST VARIABLES
    $recip $_POST["recip"];
    $company $_POST["CompanyName"];
    $contact_name $_POST["ContactName"];
    $phone $_POST["Phone"];
    $email $_POST["Email"];
    $NoH $_POST["NumHoods"];
    $app[] = $_POST["Apps"];
    $app_total $_POST["AppTotal"];
    $total $_POST["Total"];
    $story $_POST["StoryCost"];
    $fan_cost $_POST["FanCost"];
    $hood_cost $_POST["HoodCost"];

    $to $email;
    $to_full $contact_name;
    $from "notmyrealemail@sample.com";
    $from_full "Business Formal Title";
    $subject "Your Requested Estimate";
    ob_start();
    ?>

    To: <?php echo($to_full); ?> <<?php echo($to); ?>>
    From: <?php echo($from_full); ?> <<?php echo($from); ?>>
    MIMI-Version: 1.0
    Content-Type: text/html; charset="iso-8859-1"
    Content-Transfer-Encoding: 7bit
                  
    <?php
    $headers 
    ob_get_clean();
    ob_start();
    ?>

    <html>
    <body>      
    <?php

    echo "Custom Estimate For: ".$company;
    echo 
    "Estimate Total = $".$total;
    echo 
    "Appliances\n";
    if(
    sizeof($appliances) == 0)
        {
            echo 
    "No appliances listed";
        }
        else
        {
            foreach(
    $appliances as $app)
            {
                echo 
    "Appliance --".$app."\n";
            }
    }
    echo 
    "Number of Hoods: ".$NoH."\n";
    echo 
    "Thank you for your interest in This Fabulous Company\n";
    echo 
    'Copyright &copy; 2007 <a href="http://www.notarealdomain.com/">Super Awesome Company</a>\n';

    ?>
    </body>
    </html>


    <?php

    $msg 
    ob_get_clean();

    $ok = @mail$to$subject$msg$headers );

    echo 
    $ok "Mail Sent\n" "Mail failed\n"
    mail($to,$subject,$message,$headers);

    ob_end_flush();
    Any help would be GREATLY appreciated. Thanks!

    _aA

  2. #2
    10
    posts
    Registered User
    Two calls to mail():

    $ok = @mail( $to, $subject, $msg, $headers );

    echo $ok ? "Mail Sent\n" : "Mail failed\n";
    mail($to,$subject,$message,$headers);

    Also be careful of spammers being able to hijack the script. If any of the post variables destined for the headers contain a newline then you should reject the input.

    And to set the from address you may need a 5th parameter "-fyouremail@yourdomain.com" if using sendmail.

  3. #3
    actionAction's Avatar
    1,142
    posts
    humanBeing._beard=true;
    Thanks for your response zemm, I appreciate it.

    Quote Originally Posted by zemm View Post
    Two calls to mail():
    DUH!!! I am an idiot (or I have been staring at this script for too long!). I took the second call out. Here is the email I receive though (all of this is visible in Outlook):
    To: Contact Person <fake@sample.com>
    From: Reputable Business <fake@sample.com>
    MIMI-Version: 1.0
    Content-Type: text/html; charset="iso-8859-1"\n
    Content-Transfer-Encoding: 7bit

    <html>
    <body>
    Custom Estimate For: Fake CompanyEstimate Total = $1010Appliances: <br />
    No Appliances Listed<br /> Number of Hoods:
    Thank you for your interest in This Awesome Company &copy; 2007 <a href="http://www.fakewebsite.com/">Reputable Company</a>\n</body> </html>
    If any of the post variables destined for the headers contain a newline then you should reject the input.
    Could you elaborate a little here.

    And to set the from address you may need a 5th parameter "-fyouremail@yourdomain.com" if using sendmail.
    Where would that parameter go (beginning, middle, end...)?

    Thank you again!

    _action

  4. #4
    10
    posts
    Registered User
    Quote Originally Posted by actionAction View Post
    Could you elaborate a little here.
    The script as it is currently is susceptible to header injection attacks. The way mail works is Headers (each header separated by a single new line), then a blank line, then the message. If someone inserted their own newline in the "Email" POST variable (or one of the others) they can then insert their own headers (eg to mail to other people) and even their own content (eg for their spamming words/URLs).

    See http://www.securephpwiki.com/index.p...il_headers_.3F for some information on this issue.

    Quote Originally Posted by actionAction View Post
    Where would that parameter go (beginning, middle, end...)?
    It's the 5th parameter (last). See the PHP manual. http://php.net/manual/en/function.mail.php

    This is really only necessary if the From is overwritten by the MTA on the webserver. (eg my dev box always send emails from PHP "From" "apache@devbox" even after setting everything (ssmtp) but our production website is hosted on mediatemple and it works properly)


    After all that, HTML email is almost impossible to do well as Outlook (or more accurately Word) completely stuffs up the rendering standard HTML/CSS. For simple email outs like this I tend to just use plain text (Outlook sometimes stuffs them too though).

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Home About kirupa.com Meet the Moderators Advertise

 Link to Us

 Credits

Copyright 1999 - 2012