I have one php file which sends me an email every time it's loaded. There is no user input fields, it is not contact form or any other form. It's just a redirect php file and I want to receive email each time it is loaded. I have included following php mail function in it and wonder if there are any security issues with it (since there are no user input fields I am hoping I can leave it like this):
$to = 'myemail#gmail.com';
$subject = 'the file is loaded';
$message = 'the file loaded, check it out';
$headers = 'From: webmaster#mywebsite.com' . "\r\n" .
'Reply-To: webmaster#mywebsite.com' . "\r\n" .
'X-Mailer: PHP/' . phpversion();
mail($to, $subject, $message, $headers);
From functionality perspective this is perfectly safe. Your e-mail can't be altered.
However, if one person decides to troll you, he can send you an incredible amount of e-mails in a very short time. Your host or ISP will get pissed over this.
You can avoid this with queueing. Get a database or a file, save the amount of times the page is called and when the last e-mail is sent.
If the script is called AND the last sent e-mail is x minutes ago, you can send yourself a message that the page has been called x times. Then, you just empty the database and restart counting :)
Here's a script to get your started (haven't tested)
// Duration in seconds
$duration = 60 * 15;
$now = time();
$file = 'tmp.json';
$json = json_decode(file_get_contents($file));
array_push($json['calls'], $now);
// It appears it's time to send the content
if($json['sent'] + $duration > $now) {
$to = 'myemail#gmail.com';
$subject = 'the file is loaded';
$headers = 'From: webmaster#mywebsite.com' . "\r\n" .
'Reply-To: webmaster#mywebsite.com' . "\r\n" .
'X-Mailer: PHP/' . phpversion();
$message = '';
// Generate message
foreach($json['calls'] as $c) {
$message .= sprintf("File loaded at: %s\r\n", date('r', $c));
}
if(mail($to, $subject, $message, $headers)) {
// Reset the file but ONLY if the mail was sent
file_put_contents($file, json_encode(array(
'calls' => array(),
'sent' => $now
)));
}
} else {
file_put_contents($file, json_encode($json));
}
What security issues may there be with an email that has static content which you posses full control over. Anyway I believe it would be better if you just kept track of your file loads in a local file or a database. Good luck! :P
Related
i am messing with my website, then i thought why not add a visitor mail notification to myself.
I added Following Code to my website using
include("visit_mail.php");
but even if my website have 1 visit i receive 20 emails from x-mailer. here is the code of x-mailer
$browser = $_SERVER['HTTP_USER_AGENT'];
$time = date("g.i A l-d F Y", time() + 6*60);
$ip=getenv('REMOTE_ADDR');
$email_me= "me#mydomain.com";
$msg = "\nHey SomeOne Visited Your WebSite\nIP: $ip\nBrowser:$browser\n$time.";
$subject = "Visitor On $site_name";
$headers = 'From: me#mydomain.com' . "\r\n" .
'Reply-To: me#mydomain.com' . "\r\n" .
'X-Mailer: PHP/' . phpversion();
'X-Priority: 1\n'.
'Priority: Urgent\n'.
'Importance: high';
$x =mail($email_me, $subject, $msg, $headers);
if($x){echo "";}else{echo "";}
Multiple requests are send when visiting a website, this may cause the script to execute multiple times. You could try adding:
$page = $_SERVER['REQUEST_URI'];
$msg .= 'They visited page: ' . $page;
to check what page they visited.
more details about the user visiting the site can be retrieved with the following: https://www.php.net/manual/en/reserved.variables.server.php
I've created a web site and I'm using this link for a JS pop up form to be emailed using PHP.
I also used the code from here and everything works except for a couple things. When I don't remove some variables, the order of information is out of place when it emails.
And when I keep all the variables, I get the following error in a log and nothing sends until I remove them:
PHP Warning: mail() expects at most 5 parameters, 7 given in xxxxxxxxxxxxxxxxxxxxx/quote.php on line 41
Below is the code where the error is coming from:
else{
$Company = $_POST['company'];
$Email = $_POST['vemail'];
$Name = $_POST['name'];
$Number = $_POST['number'];
$Info = $_POST['info'];
$headers = 'From:'. $email2 . "\r\n"; // Sender's Email
$headers .= 'Cc:'. $email2 . "\r\n"; // Carbon copy to Sender
// Message lines should not exceed 70 characters (PHP rule), so wrap it
// $message = wordwrap($message, 70);
// Send Mail By PHP Mail Function
mail("info#bvcdenver.com", $Company, $Email, $Name, $Number, $Info, $headers);
echo "Your quote request has been sent successfuly ! Thank you for your interst. You are being redirected back to xxxxxxxxxxxx in 5 seconds.";
}
How can I send all the variable? Order won't matter if I can get them all to send.
Note: I don't have a lot of scripting experience. This site is created using only HTML/CSS and these PHP and JS sections. So ideally I'd like to not change the entire site.
You need to proper use the php mail function() as it is stated here http://php.net/manual/en/function.mail.php.
The max number of parameters is 5:
- TO ( in your case: "info#bvcdenver.com" )
- SUBJECT ( in your case: $Company )
- MESSAGE ( in your case: $Email )
the last 2 are additional headers and additional parameters.
If you want to send all the data "email, name, number and info" you should organize a string/text variable and put it on the 3rd place
like:
$message = $Email . " - " . $Name . " - " . $Number . " - " . $Info;
mail("info#bvcdenver.com", $company, $message, $headers);
This should do the work and you can customize the message numbers how you want, with html or raw new lines, and get a proper template.
<?php
$to = 'nobody#example.com';
$subject = 'the subject';
$message = 'hello';//pass every variable into message
$headers = 'From: webmaster#example.com' . "\r\n" .
'Reply-To: webmaster#example.com' . "\r\n" .
'X-Mailer: PHP/' . phpversion();
mail($to, $subject, $message, $headers);
?>
I have a script that sends data to a table in mysql database and now I've wanted to generate an email everytime someone adds new data. It works, but as you may know, it lasts almost 20-30 secs to complete and get the response.
I´ve read that exec function would have been good for executing mail() in a separate file, but at my shared server exec is disabled. Also are disabled these others:
symlink,shell_exec,exec,proc_close,proc_open,popen,system,dl,passthru,escapeshellarg,escapeshellcmd,show_source,pcntl_exec
Anybody can show how can I make this posible without blocking webpage until email is sent?
Thankyou!
the mail function looks like this. Is something in it making it slow??
$to = "xxx#gmail.com";
$subject = "xxxxx";
$message = "xxxxxxxxx: \n";
$message .= "\n";
$message .= " $getuser\n";
$message .= "\n";
$headers = 'From: xxxx#gmail.com' . "\r\n" .
'Reply-To: xxx#gmail.com' . "\r\n" .
'X-Mailer: PHP/' . phpversion();
mail($to, $subject, $message, $headerxs);
The title explains itself. It is a website for in-house employees to buy and sell from each other. Its based solely around Microsoft Outlook emailing addresses. All the emails are supposed to be sent from the seller's email as they post items. Except when I enter <php phpinfo(); ?> on the action php page it tells me that the sendmail_from attribute thing is sending from a bogus email on the server. It seems to be the automatic email for the php script to send from. This may be why the emails are getting sent to spam, because the email is not valid. Also, I read online about having full and valid headers but most headers seem optional and i cant find anywhere that explains optimal headers. My mailing code:
//send approval email to the approver
$from = isset($_POST['from'])? $_POST['from']:1;
$message = isset($_POST['message'])? $_POST['message']:1;
$message = $message . '<a href="http://dev-corkboard/newapproval.php?id='
.$result[0][0].'"> Click here to approve website post.</a>';
// In case any of our lines are larger than 70 characters, we should use
// wordwrap()
$message = wordwrap($message, 70);
$to = 'clehane#eatonvance.com';
$replyto = isset($_POST['replyto'])? $_POST['replyto']:1;
$subject = isset($_POST['subject'])? $_POST['subject']:1;
$headers = "MIME-Version: 1.0" . "\r\n" . 'From: "'.$from.'"' . "\r\n" .
'Reply-To: "'.$replyto.'"' . "\r\n" .
'Content-Type:text/html;charset=iso-8859-1' . "\r\n" .
'X-Mailer: PHP/' . phpversion();
if (mail($to, $subject, $message, $headers)) {
//test message for email
}
header ("location: newindex.php"); `
Any ideas?
And bam! Solved it, needed to put email addresses as such:
$from = 'MyName <myemail#mycompany.com>';
And I also included these headers:
"X-Priority: 0\r\n".
"X-MSMail-Priority: Normal\r\n".
"X-Mailer: mycompany.com
I'm using PHP's mail() function and noticing that my mail is being shown from being sent by 'My Website' in my inbox, but when I click on the actual email it shows it being sent from mywebsite#sitename.localdomain.
Ideally I'd like to have it say being sent from 'My Website', but the reply email being 'no-reply#mywebsite.com', and not to have it say anything about #sitename.localdomain.
$to = trim(strtolower($_POST['to']));
$from = trim($_POST['from']);
$message = trim($_POST['message']);
$subject = $from . ' has shared a link with you';
$headers = 'From: My Website' . "\r\n" .
'Reply-To:' . $to . "\r\n" .
'X-Mailer: PHP/';
mail($to, $subject, $message, $headers);
Is this an issue that I need to fix in Apache, or can I modify the headers within PHP?
Try this:
$to = trim(strtolower($_POST['to']));
$from = trim($_POST['from']);
$message = trim($_POST['message']);
$subject = $from . ' has shared a link with you';
$headers = 'From: My Website <no-reply#mywebsite.com>' . "\r\n" . // <- change your email here
'Reply-To:' . $to . "\r\n" .
'X-Mailer: PHP/';
mail($to, $subject, $message, $headers);
The Question and Answer #1 contains a serious security vulnerability -
$to = trim(strtolower($_POST['to']));
Will allow an attacker to use your website to email arbitrary spam and your site will be blocked from most search engines.
See
https://www.owasp.org/index.php/Top_10_2010-A1
My recommendation is to
Sanitize the to and from fields
Never ever ever copy the message in the post to the output unless carefully sanitized.