In a simple contact form, the HTML form triggers a Php script :
<form method="post" action="email.php">.....</form>
This email.php sends me an email :
<?php
$mess=$_POST['name']. "\r\n" .$_POST['site']. "\r\n" .$_POST['email']. "\r\n" .$_POST['meta']. "\r\n" .$_POST['message'];
mail('myemail#gmail.com', 'Subject', $mess);
?>
The HTML is using jQuery validate plugin, but nothing like this on the Php side.
A Security expert told me how insanely unsecure this php script was.
What can I do to enhance security ?
My guess is that your "security expert" saw you using raw $_POST data and using the mail() function, and he freaked out, but didn't stop to actually check how bad things were.
He has a point in that using $_POST without doing any validation on it is almost always a recipe for being hacked, but in fact in this particular case I don't think it's too bad, because you are the only recipient (so it's not going to be used for spam, which is the main thing to worry about in these cases), and because the body is plain text (so a hacker can't send you any nasty scripts or attachments).
Without any validation, you could get some really weird emails as a result of hackers trying to find a way around your defences, but not too much else.
PHP's mail() function is a well-known soft target for hackers because there is an awful lot of insecure code out there that uses it. However the real danger with mail() tends to be if you use the headers parameter (ie to set things like the sender address, etc), which you haven't used. Since you're not using headers, the risks are a lot lower, and mainly limited to making it easy for someone to mailbomb you.
If you are still worried about the security of the mail() function, the best solution is to use a library like phpMailer instead.
To be honest, my advice whenever anyone wants to use PHP's mail() function is always to use phpMailer or Swiftmailer instead. And it's not even just about security; even for simple cases, they can make your code a lot easier to read and maintain.
One big flaw is that an attacker could trivially fill your inbox with malicious or junk messages which, besides being very annoying, would likely cause Google to put your domain on their spam list.
They could do this by writing a short script to call that PHP function with some arbitrary data, and loop through it for however long they want.
This is an alternative way of solving what you asking for. And I hope this can be useful for other askers, as I see similar questions coming op consecutively.
If you intend to make professional application and focus on your core business, then I suggest you use some secured email portals with API from like mailgun, mandrill or others. Both service offer a dash board where you can see e-mail status of how many emails are sent and delivery status, and a lot of other statistics. It is FREE for small usage. It is worth it using it, because you will solve some of following issues:
You do not need to think about maintaining security of your smtp server
Or even correct configuring your smtp
Solving block and black IP addresses
Server attack
Spam problem
And name the more
Both solutions provide API for PHP or other platforms.
Note: I have been my self used my own smtp server few years back, and you know all the time I put to fixing and maintaining the smtp server is not worth it, because I could spent that time doing better stuff and leave e-mail service part for professionals.
Related
I'm searching for a good way to store the e-mail generated by PHPMailer,
in a database instead of sending it out directly via SMTP.
The reason for doing this is, that mails are getting sent via customer provided mail servers, which will probably be unreliable. So that's why I would like to queue mails in the database instead of directly sending them.
The obvious idea would be to store PHPMailers internal $MIMEHeader, $MIMEBody and similar variables and then later put them back into the PHPMailer object.
Unfortunatly this isn't really possible, because most of these variables have protected-access modifiers set on them without any other way of accessing them.
I thought about doing things like Reflection to change the access modifiers to public, but that sounds like a crude hack, which is prone to breaking...
Also: I don't really want to modify PHPMailer itself, to be able to still update PHPMailer.
Serializing the whole PHPMailer object was another idea, but that would be a little bit impractical, because I'd need to make sure that (for example) attachments in the filesystem are still there when sending the mail.
You can get hold of a complete message without sending it by doing this:
$mail->preSend();
$message = $mail->getSentMIMEMessage();
You can drive the SMTP class by itself if you want to submit a pre-built message, but it's not especially straightforward - you are better off following the other suggestions of storing the parameters rather than the pre-built message.
Being able to set headers and body directly would imply that PHPMailer contains a complete MIME parser, and that's just not its job. Also getting around the protected access is not sufficient because calling the send function would cause all your changes to be overwritten because the message is only built at send time (which is why those properties are protected in the first place - they are for internal use). In short, you're approaching this the wrong way.
As others have said though - you're queuing in the wrong place - this is what mail servers are for, they are very good at it, and you really don't want to write your own MTA. This is what I do, and I have no problem sending a million message per hour - my MTA takes care of all the reliability issues.
I'm searching for a good way to store the e-mail generated by PHPMailer
Perhaps it would be sufficient to store just data you build your mail content from (even as serialized arrays, JSON whatever). Then when needed, you can build the mail again and resend.
which will probably be unreliable
By the same logic your code will probably be buggy.
Jokes aside, once send() returned success, it's not your problem what will happen with the mail delivery. If it will fail, then it's not you who should fix it as the culprit is outside your code. Just add "reliable mail server" to your app's requirements :)
I'm wondering if there is anything in place that will prevent me from accidentally destroying an email account. For example, let's say that I had the following code:
while(true){
mail("me#website.com","subject","Message");
}
To me that script would forever email that account which seems like it would render that account effectively useless if it doesnt have good spam protection. Thoughts?
No, that code would do exactly as you say - send infinite emails to a particular account. The onus is on you as the developer to make sure that the code doesn't mess up in that way! Normally it's quite easy though, it's just using a bit of common sense to make sure you don't get sent a billion emails just saying "Message"...
The mail() function is wide open to abuse which is why its use is generally discouraged in favour of libraries such as PHPMailer.
While the php function itself has no spam protection, any decent email hosting service and/or email managing software would allow you to block the email address to prevent continuous spam.
you can use the interactions with a database , and check at each iteration if you already sent a number of mails to the recepiant before you start bombing it . example :
define('_MAX_ALLOWED' , 5) ;
while(true){
if(getNumberOfMails("me#website.com") > _MAX_ALLOWED ) break ;
mail("me#website.com","subject","Message");
saveMailToDatabase("me#website.com","subject","Message");
}
I'm confused about how mail works in PHP and CakePHP.
1.) What is the difference between sending an email either using the PHP mail function / CakePHP email helper or SMPTP as shown here: http://book.cakephp.org/1.3/en/view/1290/Sending-A-Message-Using-SMTP as the outcome looks the same?
2.) To specify who the email is coming from, you pass in the email in the header, but you can put whatever you want, so what is stopping you from just putting in anything? like yourbank.com? mail('you#gmail.com', "Subject", "Message", "From: <dave#yourbank.com>"); I just tried it and it worked fine and I couldn't find out anyway in Gmail to see if it didn't come from dave at yourbank.com...
Hopefully I can get some light on these two questions. Thanks.
1). CakePHP has a bunch of helpers & functionality implemented to make life easier when developing applications. As you've discovered, Cake has mail functionality. I suggest reading this whole page http://book.cakephp.org/2.0/en/core-utility-libraries/email.html (It's 2.0 not 1.3, so please not there have been some big alterations between the two versions). The article covers in depth on why you may configure something in a particular manner.
CakePHP is using the default mail function with PHP. It's just allow you to incorporate views into the content and configure the outgoing mail in a much easier manner.
2) As for putting in potentially any email address within the From Header.... this can potentially fall under the category of Email Spoofing, essentially sending an email when it's not authorized from the source (From Header). Again this links back to configuring specific mail servers.
By default mail clients and generally setup to prevent spam and junk, this is done by taking a large amount of steps. Some may be..
Keyword checking, (Checking the contents of an email for any
keywords classified as spam).
Header checking, <--- This is the one that answers your
question.
Essentially... headers are examined and checked to see if the server that the mail was sent from has the authority to use the given from address.
As I don't have enough technical knowledge, i'll throw a few pages your way which discuss setting up records against your DNS/Domain so emails are validated correctly and not put within spam folders.
http://www.ipswitch.com/support/imail/guide/imailgsv8.1/Appendix%20A%20dns4.html
http://help.postageapp.com/kb/application-features/dkim-and-spf-setup-and-validation
How to properly set up DNS SPF records?
I hope my jumbled ramblings make some sort of sense.
Question 1: PHP mail function uses your own server's built in email functionality to send email. If you use SMTP, you're connecting to another server (eg. Google's mail servers) and using that server to send the email.
CakePHP's email component can use either PHP mail, or SMTP, depending on how you configure it.
The outcome is basically the same in many respects. Which way is best for you will depend on your set up, the volume of email you're sending, whether your own server has any restrictions with regards to sending mail, etc. If you Google "PHP mail versus SMTP" or similar, then you'll get some info to help you decide which is best for you.
If you're not sending much email, eg. if you're just wanting to send the results of an enquiry form that gets submitted a few times each day, then just use PHP mail and don't worry about it.
Question 2: Although email programs put various measures in place to make sure mail is legitimate, basically nothing stops fake emails completely. You can send Fake email. Check out this site: http://deadfake.com/Send.aspx and in particular, their FAQ section: http://deadfake.com/FAQ.aspx
Spam filters do their best to catch fake emails, but ultimately it's up to the end user to keep their wits about them, especially with banking emails!
I have a classifieds website, and on each classifieds page, there is a form for tipping a friend where you just enter the persons email-adress and the tip will then be sent. The form is submitted to tip.php where all "magic" happens with checking and sanitizing etc etc...
Lastly I use php:s mail() function to send the email from tip.php...
Now, I wouldn't want spam-bots and automated robots etc to send mail and blacklist my server.
What should I do?
One method which I would rather NOT use is logging IP:adresses of senders in a table (MySql) and then allow only x emails per sender.
As I said, the above solution is nothing I would prefer, there must be an easier way.
Is there any method you know of?
Is there any application to install maybe, on a linux server which does the job?
Thanks
I would say that the most used method would be captcha. This will ensure that the one that sends the email is a man, but everything can be cracked. So I would recommend to find a really good one, just type captcha into google and you are good to go. Also you can use another method/thing to make it more viable, e.g. some question that can be answered a simple mathematical problem, etc.
I think you should do something in the form which makes it difficult for robots to submit rubbish into it.
Either a piece of Javascript which robots don't run (Hint: The usually don't) or if you MUST, a captcha.
You should definitely monitor the use of this facility, as well as monitoring outbound messages, message queues, and watch for bounced mail though.
Quite a lot of web spam seems to come from humans who are paid to submit rubbish into peoples' forms, which is difficult to block.
You can of course, also use something like Akismet - an API where you can ask them to spam-scan form input; I'm sure its licence terms are very reasonable and if spam is a real problem, paying for it will be acceptable to management (using Akismet is much cheaper than paying expensive developers to write and maintain an in-house anti-spam system)
Unless its a paid for service or you can restrict the recipients to a pre-approved list and can establish the bona fides of the users I would strongly recommend you don't do this. However...
Do have a look at spamassassin - but remember that one of its most important metrics is the Bayesian filtering engine - which needs to be trained using heuristics (but you can run spamassassin for your incoming mail and copy the database to your webserver).
Do make sure that you only allow authenticated customers (with an authenticated email) to use the facility, and limit the rate at which they can send messages (and the number of recipients) using a dead-man's lever.
C.
I am new to PHP, but have a decent grasp of things (have not learned classes yet).
The question:
Which to choose? PHPMailer or mail() for my new contact form.
The form is simple:
Your name:
Your email:
Subject:
Body:
I have around 2,000 visitors per day and receive about 10 submissions per day, so I don't need anything too fancy. =)
Miscellaneous questions in my head:
Is PHPMailer going to better protect my Contact Form from CC: injection (major concern)? I already know the anti-spambot display:none CSS trick.
Will PHPMailer save me the step of having to write an email_validator() function?
Will PHPMailer save me any other time of having to write any custom functions?
Thanks! With any luck, I'll be answering questions soon. Lol
Here is all I could think of in one sitting, forgive me if there are any glaring omissions.
Advantages to using PHP's built-in mail function, no external library/wrapper:
You don't need anything outside of
PHP.
You don't need to learn a new API.
You don't have to worry about a PHP
upgrade or such breaking the script.
You don't have to worry about an
updated version not working on your
PHP installation.
You don't have to worry about
potential security vulnerabilities as
a result of using that script.
If it's a simple task, you'll be done
in a few minutes.
Advantages to using an external library/wrapper:
If you need to introduce more
complexity into your emailing, you
can do so quite easily. Adding
attachments, inline images and such
are not much fun using PHP plain mail
function. External libraries (at
least the good ones) have a more
OOPish API. Adding an attachment can be as easy as $message->addAttachment($file); without having to play around with headers, etc.
External libraries better hide the
ugly complexities of tasks such as
adding attachments, character
encodings and inline images.
Using a library now will save you the
hassle of having to learn it in the
future when you do need the
additional complexity/functionality.
External libraries probably (I'm
really not sure which ones, and to
what extent) address certain
vulnerabilities that PHP's mail does
not.
If I can think of anything else, I'll be sure to add it.
This will maybe not really answer all your questions, but it won't hurt either, I guess...
Whatever you want to do, I would not go with mail() : sending a mail is not such an easy task, and using an existing library/framework will always be a good idea : it will solve many problems you probably have not even thought about -- even if you don't need to send lots of mails.
About your specific questions, maybe other answers will say something else and/or get your more informations, but any "good" library created to send mails should deal with those kind of problems... Else, you should probably search for another library ^^
Still, testing a couple of dumb non-addresses will allow you to be 100% sure ;-)
Another solution to be quite sure is to check the source of the library ;-)
In the source of version 2.2.1, you'll find stuff like this :
class.phpmailer.php, function AddAnAddress, line 413, you'll see this :
if (!self::ValidateAddress($address)) {
$this->SetError($this->Lang('invalid_address').': '. $address);
if ($this->exceptions) {
throw new phpmailerException($this->Lang('invalid_address').': '.$address);
}
echo $this->Lang('invalid_address').': '.$address;
return false;
}
And it seems this function is used by the other functions that add an address... So, I suppose there's some kind of email-addresses validation ;-)
That'll answer at least one of your questions ^^
PHPMailer is not the only solution that exists, btw ; there are plenty of others, like, for instance :
Zend_Mail
Rmail for PHP (Formerly known as HTML Mime Mail)
Swift Mailer
As Pascal MARTIN mentioned, sending an email isn't as straight forward and easy as some people just assume it is. To answer your questions directly. Yes PHPMailer does do some validation, but it's not super-advanced, but should be enough for your uses. And PHPMailer will save you some time depending on what custom functions you will need. Some things to consider though:
HTML vs plain text. If the emails are only ever going to you, this probably isn't as big of a deal. But if you're ever sending emails to your users (say a confirmation email) you want to be able to support both HTML and plain text clients. PHPMailer (and Zend_Mail) make this very easy to do.
SMTP. This is another one that is really important if you're sending email to your users, but not so much if it's just an email to your self. Using php's regular mail() function the email will be sent via sendmail, which almost all *nix installs come with out of the box (especially servers). As a result, spam filters aren't very friendly towards it. If you have a regular SMTP server setup with a trusted MX record (or if you have a gmail account) you can send through that using SMTP, which will help reduce the chances of your mail being flagged as spam.
In addition to just PHPMailer Zend_Mail is a good one to check out to (it's part of the Zend Framework). However that may be a bit much for a simple contact form.
PHPMailer is my choice because it allows me to send SMTP e-mails to google without installing any libraries or configuring a mailserver, that way I don't have to worry about spam-related problems.