I'm looking for a way to download the whole raw email data (including attachment), similar to what you get by clicking "Show Original" in Gmail.
Currently, I can get the raw header and some parts of the mail body by this code:
$this->MailBox = imap_open($mailServer, $userName, $password, OP_SILENT);
...
$email->RawEmail = imap_fetchbody($this->MailBox, $msgNo, "0");
$email->RawEmail .= "\n".imap_fetchbody($this->MailBox, $msgNo, "1");
Also I know that changing the 3rd parameter of imap_fetchbody might return the encoded attachment. Guess I need a loop here to get the raw email part by part, but what's the condition to stop the loop?
Is there an easy way to get the whole email at once?
Any help would be appreciated.
I came across this question when I was searching for the same issue. I knew it had to be easier than the solution by hakre and I found the right answer on the page for imap_fetchbody on a post from 5 years ago.
To get the full raw message just use the following:
$imap_stream = imap_open($server, $username, $password);
$raw_full_email = imap_fetchbody($imap_stream, $msg_num, "");
Notice the empty string as third parameter of imap_fetchbody this signifies all parts and sub-parts of the email, including headers and all bodies.
The answer by hakre is overcomplete, if you don't really care about the structure then you won't need imap_fetchstructure.
For a simple 'Show Source' you should only need imap_fetchheader and imap_body.
Example:
$conn = imap_open('{'."$mailServer:$port/pop3}INBOX", $userName, $password, OP_SILENT && OP_READONLY);
$msgs = imap_fetch_overview($conn, '1:5'); /** first 5 messages */
foreach ($msgs as $msg) {
$source = imap_fetchheader($conn, $msg->msgno) . imap_body($conn, $msg->msgno);
print $source;
}
My answer is "overcomplete", see Boy Baukema's answer for a more straight forward "view source" way of doing if you don't need the whole structure of the email.
If you want to fetch all, you need to fetch
The headers imap_fetchheader.
Obtain the number of bodies the message has imap_fetchstructure.
Each mine-headers a body has imap_fetchmime.
Each body it has imap_fetchbody.
As mime-message can have multiple bodies, you need to process each part after the other. To reduce load to the server use the FT_PREFETCHTEXT option for imap_fetchheader. Some example code about imap_fetchstructure in another answer that shows handling the imap connection and iterating over parts of a message already through encapsulation.
A common mistake is to use "\n" or PHP_EOL.
According to RFC RFC821, RFC2060, RFC1939 "\r\n" should be used.
While some mailserver auto convert that mistakes, Cyrus does not and throw a nice error.
PHP_EOL is a system depending constant, it's "\n" on Linux, "\r" on Mac and "\r\n" on Windows, for example.
Furthermore imap_fetchheader() contains the trailing "\r\n" as expected. So the correct example would be:
$source = imap_fetchheader($conn, $msg->msgno) . imap_body($conn, $msg->msgno);
Related
I am feeling a bit awkward, because I am generating a mail-body with PHP without escaping the variables. In HTML I am using htmlspecialchars() or similar functions, for command lines escapeshellarg(), but for mails? For example something like this:
<?php
$usercontent = $_GET['usercontent'];
mail("dummy#nowhere.tld", "My Subject", "My body with $usercontent included");
?>
What could a possible attacker do with a script like the one above and how could I protect against such an attack? Or is PHP mail() save and why?
Update
Please refer to the example:
Only the body is affected (No Headers!)
Content-Type is text/plain
Some proof to the answer would be nice
MTA is a postfix sendmail with "/usr/sbin/sendmail -t -i"
The basic e-mail message body is plain text. If you want a different type like HTML or a multipart message, you need to use the MIME extension and specify the type accordingly using Content-Type (e.g. text/html for HTML or multipart/… for a multipart message).
So from the security perspective, there is no way to inject anything harmful (at least not as per specification). Even non-ASCII characters should be handled correctly despite the lacking declaration of the used character encoding.
However, there still may be some flaws in e-mail clients which can be exploited this way. But I doubt that.
Good question. I don't believe you need to escape the body text, but I do know it's possible to add headers to a mail (like a BCC to thousands of addresses) if you allow the user to input a from address. So if you put variables in that, definitely check for newlines (\n and \r) to make sure no additional headers are added.
Think of the body of the email this way: "Mission top secret destination unknown." We may not know what kind of client will read the message, but we can guess that we do not want live, user supplied, unescaped HTML to show up in it. Since many clients read mail in HTML, the best thing to do would be to htmlentities() the user supplied e-mail body.
A method from my escaper class.
<?php
class escaper
{
public function superHtmlEntities($string)
{
return htmlentities($string, ENT_QUOTES | ENT_HTML5, 'UTF-8', true);
}
}
?>
========================================
At minimum, consider something like this and more as you do your research.
<?php
$esc = new Escaper();
$usercontent = $_GET['usercontent'];
mail("dummy#nowhere.tld", "My Subject", $esc->superHtmlEntities("My body with $usercontent included"));
?>
It is not secured against XSS atack because if your mail contains HTML someone can inject it into mail.
The good behaviour is to check and valid data which you expect to have. If I were you I would escape this string. It costs almoust nothing and you don't have to worry about consequences of not using it.
I'm facing a slight issue with an idea.
I use a chat feature within an online forum on all my computing devices. I also use it mobily, which causes slight issues of formatting, input, etc. I've had the idea to relay all the chat from a relay account to my own mobile friendly site.
I haven't started on sending messages yet, although I know how to read messages. How to output them is the issue.
I sniffed outgoing packets on my computer as the chat uses ajax. I was then able to find the following url: http://server05.ips-chat-service.com/get.php?room=xxxx&user=xxxx&access_key=xxxx
The page outputs something similar to this: ~~||~~1419344231,1,kondaxdesign,Could somebody send a quick message for me__C__ please?,,10248~~||~~1419344237,1,tom.bridges,its a iso and a vm what more do we need to know?,,10880~~||~~
That string would output this in chat: http://i.stack.imgur.com/j7CM6.png
I unfortunately don't have much knowledge on regex, or any other function that would split this. Would anybody be able to assist me on getting the 1). Name, 2). Chat Data and 3). Timestamp?
As you can see, the string is something like this: ~~||~~[timestamp],1,[name],[data],,[some integer]~~||~~
Cheers.
After reading through the string output, when somebody leaves chat, this is sent: ~~||~~1419344521,2,wegface,TIMEOUT,2_10828,0~~||~~
The beginning of the log starts with 1,224442 before the first ~~||~~.
You would first explode each record, then use str_getcsv to read the string and parse it as you want. Here is a script that does that, without any formatting on output, and I've named the variables as named in the OP that describes what they are.
I wouldn't use a regular expression to parse the string, as better functionality is available (linked above)
$string = "~~||~~1419344231,1,kondaxdesign,Could somebody send a quick message for me__C__ please?,,10248~~||~~1419344237,1,tom.bridges,its a iso and a vm what more do we need to know?,,10880~~||~~";
//Split so we have each chat record to loop around
foreach( explode("~~||~~", $string) as $segments) {
//Read the CSV properly
$chat = str_getcsv($segments);
if( count($chat) <> 6 ) { continue; } //Skip any that don't have all the data
$timestamp = $chat[0];
$name = $chat[2];
$data = $chat[3];
$some_integer = $chat[5];
echo $name .' said - '. $data .'<br />';
}
I need to send a very long link using PHP. Known problem: the link is getting broken by the e-mail clients. I've tried it with plain/text or html mails, I put the url in brackets () as proposed in other threads- nothing helps. I know about url shorteners and the possibilty of solving this problem with databases, BUT!!! It IS possible to send links with hundreds of characters; e.g. Ebay does, Amazon does... the link for comfirming the registration from stackoverflow contains more than 250 characters, so?! Looking at the source code of these mails all lines break after 76 characters by default. I've tried to do the same with PHP wordwrap. Result; the source code looks identical, but my links are broken, their links are not! Any ideas? I'd be very glad for help, cause that bothers me!!!! :)
I could solve the problem on my own. First, the special characters of the link must be encoded (e.g. Thunderbird will now accept the encoded link just like this). Second, set a line-break by default after 76 characters. To avoid that the link gets broken or won't be recognized as a link by the client program anymore, each line needs to end on "=" in order to be recombined...
<?php
$url = 'http://domainxy.com/index.php';
$ending = '?var1=gsgsdgsfgdhfjfgj&var2=sdferewerwrr&var3=jghjghjkloozzzz&var4=ghajsldahskhdhriehfsjndfnjnjjfnjsnjdfhksö&var5=öäüöü';
$ending = utf8_encode($ending);
$ending = rawurlencode($ending);
$link = wordwrap( $url . $ending, 75, "=<br />\n", true );
echo $link;
?>
/*
Encodes and devides the link like this:
http://domainxy.com/index.php%3Fvar1%3Dgsgsdgsfgdhfjfgj%26var2%3Dsdferewerw=
rr%26var3%3Djghjghjkloozzzz%26var4%3Dghajsldahskhdhriehfsjndfnjnjjfnjsnjdfh=
ks%C3%B6%26var5%3D%C3%B6%C3%A4%C3%BC%C3%B6%C3%BC
*/
I have a simple web page where I get some data from $_POST that users input: comments, usernames, etc. And I send them to email and save them on database. My problem is what when I send to email, doesn't matter what client is, I only see gibberish. I tried declaring the meta tag in the emails with all iso 88xx, utf8, windows, etc., but with no success. Also tried a million examples of htmlentities(), all leading to the same thing... plain gibberish. (Althought the source code shows different things sometimes, the plain text never changes).
Example code:
if (isset($_POST['name'])) {
$name = htmlentities($_POST['name'], ENT_QUOTES);
}
A result of mail() of $name (Don Quijóte) would be something like this "Don Quijóte".
Sorry if this is a repost but I just can't get this working.
Have you tried setting the headers, something like...
// Always set content-type when sending HTML email
$headers = "MIME-Version: 1.0" . "\r\n";
$headers .= "Content-type:plain/text;charset=UTF-8" . "\r\n";
mail($to,$subject,$message,$headers);
This sets the encoding to UTF-8. More here:
http://www.w3schools.com/php/func_mail_mail.asp
It is surprisingly hard to send a mail in the right way. The error you get with Don Quijote is due to the fact that your string is in utf8 but it is showed with ISO8859 encoding. (That is why you get that weird A and a small 3.
I would recomend using php mailer You can get it here
It is way simpler to setup and it will be more efficient if you at some time in the future need to send out a lot of emails. (Because mail() opens and closes the connection on each call)
Also be aware that if you are using utf-8 everything should be with utf-8. Your database should be set to utf-8. You outputs to html and so on. Every step of the way you should be sure it is utf8.
I'm using a mailto link to send e-mail with a php string variable inside it as follows:
'Would you like to E-mail stakeholders? <a class="emailLink" href="mailto:stakeholders?subject=Alert '.$ticket.'&body=Experience: %0D%0A'.$exp.'">Review and Send!</a><br><br>';
I discovered that in the e-mail client it prints it out like:
Experience:
Th Experience should contain:\r\n\r\nImpact\r\nHow to replicate\r\nComprehensive notes
So I tried:
$charactersToRemove = array("\r\n","\n","\r");
$replaceWith = "%0D%0A";
$exp = str_replace($charactersToRemove,$replaceWith,$exp);
Which doesn't seem to make a difference...Can someone tell me why? Thanks.
Can you post more of your code to show how $exp was assigned it's value?
I've edited out my answer until I can provide better help.
EDIT: Can you seriously try using "\r\n" with \" to escape "'s instead, just in case PHP is somehow localizing %0D$0A in your HTML output? What does the source of your page look like?