FRIHOST FORUMS SEARCH FAQ TOS BLOGS COMPETITIONS
You are invited to Log in or Register a free Frihost Account!


Page Based Email Issue





Mosquito.Tyler
Ok, so I was following this lesson on PHP email, and I got it all ready to go, but I found that it has some weird behaivior. It will send the message no matter what is in the fields, even if you enter multiple email addresses (which I don't think your supposed to be able to do)

I'm pretty new to PHP, I've only used it to include files in my layout. I'm hoping someone can show me what (if anything) is wrong with my code, and also what I can do to add requirements (i.e. message length). Here is the code I am using.

Code:

<?php include('includes/head.php'); ?>
<link rel="stylesheet" href="styles/cus.css" />
</head>
<body>
   <div id="body">
      <table id="main">
         <tr>
            <td id="head">
               <?php include('includes/header.php'); ?>
            </td>
         </tr>
         <tr>
            <td id="body">
               <div id="bodyinc">
                  <table style="margin-left:20px;">
                     <tr>
                        <td>
               <?php
function spamcheck($field)
{
   if(eregi("to:",$field) || eregi("cc:",$field))
   {
   return TRUE;
   }
else
   {
   return FALSE;
   }
}

if (isset($_POST['email']))
{
   $mailcheck = spamcheck($_POST['email']);
   if ($mailcheck==TRUE)
   {
   echo "<h2>Invalid Input!</h2>";
   echo $email + "<br />" + $subject + "<br />" + $message;
   }
   else
   {
   $email = $_POST['email'] ;
   $subject = $_POST['subject'] ;
   $message= $_POST['message'] ;
   /*mail("Contact@hon.frih.net", "Subject: $subject", $message, "From: $email" );*/
   echo "<p>Thanks for your feedback!</p>";
   echo $email + "<br />" + $subject + "<br />" + $message;   
   }
}
else
{
   echo "
   <span style='font-size:.8em;'>
   <div class='header'>Contact Us</div>
   <p class='text' style='text-align:left;'>Fill out the form below with your email address, a subject, and a message, and we will get back to you as soon as possible!</p>
   <form method='post' action='Contactus.php'>
   <table>
   <tr>
      <td style='font-size:.8em;'>Your Email:</td><td><input class='cus' name='email' id='email' type='text' /></td>
   </tr>
   <tr>
      <td style='font-size:.8em;'>Subject:</td><td><input class='cus2' name='subject' id='subject' type='text' /></td>
   </tr>
   </table>
  Message:<br />
  <textarea class='cnus' name='message' id='message' rows='15' cols='58'>
  </textarea><br />
  <input type='submit' style='align:right;' class='button' value='Send Email!' />
</form>";
}
?>   


I hear there are some real PHP pro's on frihost, so I have high expectations Razz

Thanks in advance.
hexkid
I see nothing (very) wrong with your code.
The only problematic line is the one that calls mail()
Mosquito.Tyler wrote:
Code:
/*mail("Contact@hon.frih.net", "Subject: $subject", $message, "From: $email" );*/


You should sanitize the $email variable a little more thoroughly before using it. Some people might enter, for example:
"hacker@example.com\nBcc: victim1@example.com"
and victim1@example.com would receive the email.


To add more requirements I'd add more functions to the code and call them
Code:
define('MAX_MESSAGE_LENGTH', '4095'); // that's 4K
define('MAX_LINE_LENGTH', '67');

function check_msg_length($msg) {
  if (strlen($msg) > MAX_MESSAGE_LENGTH) return false;
  foreach (explode("\n", $msg) as $line) {
    if (strlen($line) > MAX_LINE_LENGTH) return false;
  }
  return true;
}
and then call the appropriate function before mailing
Code:
if (check_msg_length($message)) {
  mail(...);
}
Mosquito.Tyler
Thanks hexkid for you help, I really appreciate it.
However I am having a couple of problems. I feel like such a noob Razz

Okay, firstly, you said to sanitize my $email var before using it. I'm assuming you mean use a better method to ensure there is no email injections happening. I'm not sure what else I can do, I was looking at w3schools and just got confused. So I'm curious what you think I should do to further 'sanitize' that field.

Secondly, I can somewhat follow the code you gave that checks the message length, and the line length, however when I inserted it into my existing code, Something strange happened. My browser displayed the code as raw HTML. Heres what I mean.

Code:
 
Removed, Issue has been resolved.


You'll notice I put those slashes in there. Those are only to mark where the browser started outputting as Raw HTML.

I'm really confused, perhaps a mailto link will have to do until I get more confortable with PHP. Do you recommend anywhere in particular to learn PHP?


:::::::EDIT:::::::::
I was able to resolve the issue with the browser displaying the code as raw HTML, I needed to put the constants inside the 'constant()' function. I think I can effectively add my my own rules to the system now, all I need is a way to make it more secure.
hexkid
Hehe, having problems is a great way to learn the language.
Glad you sorted out your problems on your own.

Happy Coding!
Mosquito.Tyler
Just for those few who look into this thread and wonder how you might make your PHP email a little more secure, I'm going to share with you what I did. Since the main threat is Email Injection (inserting more email addresses into the To, CC, and BCC fields), I've found a couple ways to ensure only one address can be entered, as well as ensure that the terms Bcc:, CC:, and To: do not exist in the field.

Because you are leaving the "from" field editable, it is possible to further edit the email headers by inserting certain code, like this:

Code:

someone@example.com%0ACc:person2@example.com
%0ABcc:person3@example.com,person3@example.com,
anotherperson4@example.com,person5@example.com
%0ABTo:person6@example.com


First I have a function to check the existence of header information:
Code:

function spamcheck($field)
{
   if(eregi("to:",$field) || eregi("cc:",$field) || eregi("bcc:",$field))
   {
   return TRUE;
   }
else
   {
   return FALSE;
   }
}


Then before I give the command to send the mail, I check to make sure that there is only ONE '@' sign.


Code:

$mailcheck = spamcheck($email);
         if ($mailcheck==TRUE || substr_count($email, '@') != 1)
            {
               echo "<h2>Invalid Input!</h2>";
            }
         else
            {
               mail("*YOUR EMAIL ADDRESS*", "Subject: $subject", $message, "From: $email" );
               echo "<p>Thanks for your feedback!</p>";               }


I hope that this may answer some questions, even if you didn't know you had them Razz

:::::NOTE:::::
$email, $subject, and $message are variables I have defined myself, so you may need to change them.
hexkid
Are you sure $subject can't be used for mail injection? Wink

Code:
$subject = "test\nBcc: victim@example.com";
mail('hexkid@example.com', $subject, "Test message.\n");


When I tested it (not recently), PHP automagically stripped the $subject to the first line only (and there was no injection), but I don't like automatisms.


Also; why not put the count of "@" inside the spamcheck() function?
Related topics
What is your operating system?
EMail Problems ?
Help Needed Regarding CGI And Php
new 2gig email service with IMAP > gmail
I Need Help For Intro Page On My Site
ipower.com - Only US$2.95 per domain!
Getting started
My Performing Arts Website
Google vs Microsoft
100 days free licence for Kaspersky Internet Security 2009
Outlook/MS Exchange Problems
[Important]Server 2/3 move
Free email client?
Humble Indie Bundle V
Reply to topic    Frihost Forum Index -> Scripting -> Php and MySQL

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.