mail from php page

M

mikefitz

Guppy
I have a php page that has been working fine emailing its contents.

We have just noticed it is no longer sending email. Or I should say we are not receiving the emails we should.

Has this functionality been stopped from php pages lately? Maybe a change of php version?

The line is:
mail ("[email protected]",$_POST['subject'],$htmlbody1.$htmlbody2.$htmlbody3,$dscheaders)

Mike.
 
We have upgraded to php 4.4.4 on some servers to prevent some bugs that allowed defacing of some sites. However that should still function, can you PM me the username?
 
If you're mailing to addresses outside of the JodoHost environment, you're probably going to have to implement SMTP Authentication, which the standard mail() function does not support. For the cases where I've needed to do so, I've turned to the phpMailer class. If you're mailing to a local address (not necessarily w/in the same domain, just w/in the JodoHost environment) the standard mail() function should still work.

Tim
 
mikefitz said:
mail ("[email protected]",$_POST['subject'],$htmlbody1.$htmlbody2.$htmlbody3,$dscheaders)
Click to expand...

I don't want to sound like the code police but a word of warning about something that got me into trouble at another host.

If your $dscheaders variable is dependent on user input then make sure you're not open to a header injection attack. A common thing is to create a "From:" header using the extra headers parameter of mail(). One of my clients did that and spammers started using his script. More info here. The main thing is to filter any newlines going into that variable.

Cheers from another Kiwi
Ross
 
ahah, I actually did not realize that, and I have recently installed a php header check to stop spam injections that are happening on every server (wincf in major ways, see the server status forums), without them we get spam complaints on a near per minute basis because of insecure forms. We did not do anything to disable mail, just invalid headers/forged headers(basically they were able to use the form to CC 100's of addresses)
 
I have $membername a field filled from a textbox. Same for memberemail, filled from a textbox.

the header is made thus..
$dscheaders = "MIME-Version: 1.0\r\n";
$dscheaders.= "Content-Type: text/html; charset=iso-8859-1\r\n";
$dscheaders.= "From: ". $_POST['membername']. " <". $_POST['memberemail']. ">\r\n";
$dscheaders.= "Reply-To: ". $_POST['membername']. " <". $_POST['memberemail']. ">\r\n";
$dscheaders.= "X-mailer: Microsoft mailer\r\n";


Do you have an example of what a valid header would look like and what checking to make around membername and memberemail which are entered in the form?

I do check memberemail is valid with:
if (ereg("^[^@ ]+@[^@ ]+\.[^@ \.]+$", $memberemail))
also the form can't be submitted until other validation is done and the member clicks the I've finished checkbox.
 
I think you could be in trouble with membername because there is nothing stopping someone submitting a multi-line value. The spammers will use their own form or software that simulates a form.

To see what I mean, try a form where the member name input tag is changed to a textarea and then enter something like this as the name:

My Name
CC: [email protected]

I think that will be sent to the CC'd address. It could be a big comma separated list. It also works with To: and BCC:

That link I gave had quite a bit of information and a Google search for "header injection" brings up lots of stuff. I think the main thing is to filter out any \r and \n in the name and email fields. I'd block colons too just for good measure. I'm not sure if your regex for email would allow a multi-line input. I know the first ^ and last $ mean start and end of line but does it still match if there are multiple lines?

I think your last line where you are pretending to be a Microsoft mailer could get you caught by spam filters. I'm just saying that because I've seen in spamassassin reports etc something like "falsely claims to be Microsoft Outlook".

Cheers
Ross
 
You must log in or register to reply here.
Back
Top