I have a really nice looking HTML Template that I now need to implement into my mailing system. I am currently using this to send emails:
$to = $dbuser;
$subject = "Welcome";
$from = "support#mysite.com";
$headers = "From: $from";
$server = "";
ini_set ("SMTP", $localhost);
$url="";
$msg="$url";
$body = Example Text!
mail($to, $subject, $body, $headers);
How would I include a HTML template (along side CSS) directly into the $body variable of my php email form?
I've done quite a bit of research but I can't find anything substantial.
Your missing the header required for the email client to interpret the message as HTML. Add the following to your headers:
$headers = "From: " . $from . "\r\n";
$headers .= "MIME-Version: 1.0" . "\r\n";
$headers .= "Content-type:text/html;charset=iso-8859-1" . "\r\n";
One way of doing this that I have used in the past is to create the page as you would normally (using html/php etc) and then use file_get_contents($url) like so:
$body = file_get_contents("http://mydomain.com/emailtemplates/template.php?name=John Doe&subject=Hello");
Because you are using http:// the php is executed rather than pulled into the template, simple but effective!
I also would advise you to use inline css and don't be afraid to use tables!
http://php.net/manual/en/function.mail.php - example #5
also remember that in HTML emails you're strongly advised to use inline CSS and old-school HTML formatting where possible to assure maximum compatibility with different email clients. Also no divs - just plain old good table-s
First of all you need to add some headers, in order for the HTML to display correctly.
Taken from the mail() PHP documentation, this is how you do it:
$headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";
After that, I'm assuming $body is where the text should be, so it's a matter of putting all the HTML between quotation marks (escaping every quotation mark in your HTML with a backwards slash), and that's pretty much it.
I wrote this for myself yesterday:
Create your html and put it in a file named "./email.html" Copy and
paste the code below to a php file in the same dir as the html file.
Modify the image names if you use them in the HTML just do so like so: src="cid:world.jpg"
And thats it...I think. =)
//attachment file paths/names
$files[0] = './world.jpg';
$files[1] = './world2.jpg';
$to = '';
$bcc = "";
$subject = '';
$from = "";
$htmlx = '';
$handle = #fopen("./email.html", "r");
if ($handle) {
while (($buffer = fgets($handle, 4096)) !== false) {
$htmlx .= $buffer;
}
if (!feof($handle)) {
echo "Error: unexpected fgets() fail\n";
}
fclose($handle);
}
$semi_rand = md5(time());
$mime_boundary = "==Multipart_Boundary_x".$semi_rand."x";
$headers = "From: $from \n";
$headers .= "Reply-To: $from \n";
$headers .= 'Bcc: '. $bcc . "\n";
$headers .= "MIME-Version: 1.0\n" . "Content-Type: multipart/mixed;\n" . ' boundary="'.$mime_boundary.'"'."\n";
$headers .= "X-Author: <Timothy Martens>\n";
$message = '--'.$mime_boundary."\n";
$message .= 'Content-Type: text/html; charset=UTF-8'."\n";
$message .= "Content-Transfer-Encoding: 7bit\n\n\n". $htmlx . "\n\n\n";
// preparing attachments
for($i=0;$i<count($files);$i++){
if(is_file($files[$i])){
$message .= "--".$mime_boundary."\n";
$fp = #fopen($files[$i],"rb");
$data = #fread($fp,filesize($files[$i]));
#fclose($fp);
$data = chunk_split(base64_encode($data));
$message .= "Content-Type: application/octet-stream; name=\"".basename($files[$i])."\"\n" .
"Content-Description: ".basename($files[$i])."\n" .
"Content-ID: <".basename($files[$i]).">\n".
"Content-Disposition: attachment;\n" . " filename=\"".basename($files[$i])."\"; size=".filesize($files[$i]).";\n" .
"Content-Transfer-Encoding: base64\n\n" . $data . "\n\n";
}
}
$message .= "--".$mime_boundary."--";
if (mail($to, $subject, $message, $headers)) {
echo 'Your message has been sent.'."\n";
} else {
echo 'There was a problem sending the email.'."\n";
}
Related
Suddenly have started receiving the above error without any changes having been made to the script.
Host is 1and1 (I know...)
The script still works fine on a different server, and so my suspicion is that there must have been some server config change that has lead to this, although the hosts plead ignorance.
There's no information on the above error at all in Google that I can find - does anybody have any ideas? Server is running Apache if that helps.
Had just the similar problem.
It came out of the blue. No PHP Code was changed.
What was changed: PHP was upgraded 5.5.25-1 to 5.5.26.
A security risk in PHP mail() function has been fixed and extra newlines in additional_headers are allowed no more. Because extra newlines mean: now starts the email message (and we surely don't want somebody to inject some newlines through headers followed by an evil message).
What previously have worked fine, e.g. just having extra newlines after headers or even passing the whole message to additional_headers, will function no more.
Solution:
Sanitize your headers. No multiple newlines in additional_headers argument. These count as "multiple or malformed newlines": \r\r, \r\0, \r\n\r\n, \n\n, \n\0.
Use additional_headers for headers only. Email message (multipart or not, with ir without attachments, etc) belongs in message argument, not in headers.
PHP Security Bug report: https://bugs.php.net/bug.php?id=68776
C Code diff how its fixed: http://git.php.net/?p=php-src.git;a=blobdiff;f=ext/standard/mail.c;h=448013a472a3466245e64b1cb37a9d1b0f7c007e;hp=1ebc8fecb7ef4c266a341cdc701f0686d6482242;hb=9d168b863e007c4e15ebe4d2eecabdf8b0582e30;hpb=eee8b6c33fc968ef8c496db8fb54e8c9d9d5a8f9
None of the above answers solved this problem for me. So, I expanded my search to "mail with attachment and HTML message issues." Piecing together info from a few different posts, I came up with this. It allows for BOTH HTML email and an attachment.
My original header code:
$header = "From: ".$from_name." <".$from_mail.">\r\n";
$header .= "Reply-To: ".$replyto."\r\n";
$header .= "MIME-Version: 1.0\r\n";
$header .= "Content-Type: multipart/mixed; boundary=\"".$uid."\"\r\n";
$header .= "--".$uid."\r\n";
$header .= "Content-Type: text/html; charset=ISO-8859-1\r\n";
$header .= "Content-Transfer-Encoding: 8bit\r\n";
$header .= $body."\r\n";
$header .= "--".$uid."\r\n";
$header .= "Content-Type: application/pdf; name=\"".$filename."\"\r\n";
$header .= "Content-Transfer-Encoding: base64\r\n";
$header .= "Content-Disposition: attachment; filename=\"".$filename."\"\r\n";
$header .= $content."\r\n";
$header .= "--".$uid."--";
if (mail($mail_to, $subject, "", $header))
{
return "mail_success";
}
else
{
return "mail_error";
}
My new code (complete):
Note that $body is the HTML that is being assembled by a different function.
$file = $path.$filename;
$file_size = filesize($file);
$handle = fopen($file, "r");
$content = fread($handle, $file_size);
fclose($handle);
$content = chunk_split(base64_encode($content));
$uid = md5(uniqid(time()));
$name = basename($file);
$eol = PHP_EOL;
// Basic headers
$header = "From: ".$from_name." <".$from_mail.">".$eol;
$header .= "Reply-To: ".$replyto.$eol;
$header .= "MIME-Version: 1.0\r\n";
$header .= "Content-Type: multipart/mixed; boundary=\"".$uid."\"";
// Put everything else in $message
$message = "--".$uid.$eol;
$message .= "Content-Type: text/html; charset=ISO-8859-1".$eol;
$message .= "Content-Transfer-Encoding: 8bit".$eol.$eol;
$message .= $body.$eol;
$message .= "--".$uid.$eol;
$message .= "Content-Type: application/pdf; name=\"".$filename."\"".$eol;
$message .= "Content-Transfer-Encoding: base64".$eol;
$message .= "Content-Disposition: attachment; filename=\"".$filename."\"".$eol;
$message .= $content.$eol;
$message .= "--".$uid."--";
if (mail($mail_to, $subject, $message, $header))
{
return "mail_success";
}
else
{
return "mail_error";
}
Two key changes here. (1) removed all the multi-part stuff from the headers into $message. (2) removed all the "\r\n" stuff and added $eol = PHP_EOL; to the code.
Together, these changes allowed me to once again send HTML email with attachments.
Had the same problem:
Removed the mime boundary and message from the header and all worked.
$header = "From: ".$from_name." <".$from_mail.">\n";
$header .= "Reply-To: ".$replyto."\n";
$header .= "MIME-Version: 1.0\n";
$header .= "Content-Type: multipart/mixed; boundary=\"".$uid."\"\n\n";
$emessage= "--".$uid."\n";
$emessage.= "Content-type:text/plain; charset=iso-8859-1\n";
$emessage.= "Content-Transfer-Encoding: 7bit\n\n";
$emessage .= $message."\n\n";
$emessage.= "--".$uid."\n";
$emessage .= "Content-Type: application/octet-stream; name=\"".$filename."\"\n"; // use different content types here
$emessage .= "Content-Transfer-Encoding: base64\n";
$emessage .= "Content-Disposition: attachment; filename=\"".$filename."\"\n\n";
$emessage .= $content."\n\n";
$emessage .= "--".$uid."--";
mail($mailto,$subject,$emessage,$header);
None of the above fixed it for me - main issue is you must not put anything other than header definitions in headers. Old scripts bunged anything in there. So move any text or attachments that were stuffed in to headers into the message body. Makes sense..
This has an explanation
(I guess it's same solution as Frank's above plus Davisca's "no double new lines" - but you need doubled new lines for attachments)
This will solve your problem. I have changed a little bit of Frank's code. This code will support attachment and html.
<?php
$filename = "certificate.jpg";
$path = "/home/omnibl/subdomains/test/certificate/certimage/";
$file = $path . $filename;
$file_size = filesize($file);
$handle = fopen($file, "r");
$content = fread($handle, $file_size);
fclose($handle);
$content = chunk_split(base64_encode($content));
$uid = md5(uniqid(time()));
$name = basename($file);
$eol = PHP_EOL;
$subject = "Mail Out Certificate";
$message = '<h1>Hi i m mashpy</h1>';
$from_name = "mail#example.com";
$from_mail = "mail#example.com";
$replyto = "mail#example.com";
$mailto = "mail#example.com";
$header = "From: " . $from_name . " <" . $from_mail . ">\n";
$header .= "Reply-To: " . $replyto . "\n";
$header .= "MIME-Version: 1.0\n";
$header .= "Content-Type: multipart/mixed; boundary=\"" . $uid . "\"\n\n";
$emessage = "--" . $uid . "\n";
$emessage .= "Content-type:text/html; charset=iso-8859-1\n";
$emessage .= "Content-Transfer-Encoding: 7bit\n\n";
$emessage .= $message . "\n\n";
$emessage .= "--" . $uid . "\n";
$emessage .= "Content-Type: application/octet-stream; name=\"" . $filename . "\"\n"; // use different content types here
$emessage .= "Content-Transfer-Encoding: base64\n";
$emessage .= "Content-Disposition: attachment; filename=\"" . $filename . "\"\n\n";
$emessage .= $content . "\n\n";
$emessage .= "--" . $uid . "--";
mail($mailto, $subject, $emessage, $header);
Another scenario that brings the same new error is if you are not sending any headers to the "mail" command. It used to just use a default, and now gives the misleading error: "Multiple or malformed newlines found in additional_header".
Can be fixed by adding this:
$header = "From: ".$from_name." <".$from_mail.">\n";
$header .= "Reply-To: ".$replyto."\n";
$header .= "MIME-Version: 1.0\n";
...
mail($mailto,$subject,$emessage,$header);
my PHP version - 5.4.43,
probably contains Fixed bug #68776.
googling to the same error showed [http://fossies.org/diffs/php/5.4.42_vs_5.4.43/ext/standard/mail.c-diff.html]
=> I cannot use empty strings as mail() parameters.
my old code:
$headers = 'From: ' . $frm . "\r\n";
$headers .= 'To: ' . $contactEmail . "\r\n";
if ( $flag ) {
$headers .= 'To: ' . $contactEmail2 . "\r\n";
}
$headers .= 'Cc: ' . $contactEmailCc . "\r\n";
$headers .= 'Bcc: ' . $contactEmailBcc . "\r\n";
$headers .= 'Return-Path: ' . $frm . "\r\n";
$headers .= 'MIME-Version: 1.0' ."\r\n";
$headers .= 'Content-Type: text/HTML; charset=ISO-8859-1' . "\r\n";
$headers .= 'Content-Transfer-Encoding: 8bit'. "\n\r\n";
$headers .= $htmlText . "\r\n";
if (!mail('', $strSubject, '', $headers)) { // !!! note the empty parameters.
my new code:
$headers = 'From: ' . $frm . "\r\n";
// note: no "To: " !!!
$headers .= 'Cc: ' . $contactEmailCc . "\r\n";
$headers .= 'Bcc: ' . $contactEmailBcc . "\r\n";
$headers .= 'Return-Path: ' . $frm . "\r\n";
$headers .= 'MIME-Version: 1.0' ."\r\n";
$headers .= 'Content-Type: text/HTML; charset=ISO-8859-1' . "\r\n";
$headers .= 'Content-Transfer-Encoding: 8bit'. "\n\r\n";
// note: no $htmlText !!!
// note: new parameters:
$mTo = $contactEmail;
if ( $flag ) {
$mTo .= ', ' . $contactEmail2;
}
$mMessage .= $htmlText . "\r\n";
if (!mail($mTo, $strSubject, $mMessage, $headers)) {
You may be running into Bug #69874 Can't set empty additional_headers for mail() if you haven't done anything stupid (i.e. forgot to sanitize the headers).
Test for the bug
$ php -d display_errors=1 -d display_startup_errors=1 -d error_reporting=30719 -r 'mail("test#email.com","Subject Here", "Message Here",NULL);'
Warning: mail(): Multiple or malformed newlines found in additional_header in Command line code on line 1
Alternately if you know your PHP version (hint: php -v) you can check the changelog for the bug number (69874) to see whether the fix has been applied for your version.
A short-term fix is to replace calls to mail() like this
function fix_mail( $to , $subject , $message , $additional_headers =NULL, $additional_parameters=NULL ) {
$to=filter_var($to, FILTER_SANITIZE_STRING, FILTER_FLAG_NO_ENCODE_QUOTES| FILTER_FLAG_STRIP_LOW| FILTER_FLAG_STRIP_HIGH);
$subject=filter_var($subject, FILTER_SANITIZE_STRING, FILTER_FLAG_NO_ENCODE_QUOTES| FILTER_FLAG_STRIP_LOW| FILTER_FLAG_STRIP_HIGH);
if (!$additional_headers)
return mail( $to , $subject , $message );
if (!$additional_parameters)
return mail( $to , $subject , $message , $additional_headers );
return mail( $to , $subject , $message , $additional_headers, $additional_parameters );
}
Incase this helps anyone, I am using PHP 5.6 and an old code igniter v1 email library
email.php: line 1510 - I've added this:
$this->_header_str = str_replace("\r\r","",$this->_header_str);
$this->_header_str = str_replace("\r\0","",$this->_header_str);
$this->_header_str = str_replace("\r\n\r\n","",$this->_header_str);
$this->_header_str = str_replace("\n\n","",$this->_header_str);
$this->_header_str = str_replace("\n\0","",$this->_header_str);
above this line:
if ( ! mail($this->_recipients, $this->_subject, $this->_finalbody, $this->_header_str, "-f ".$this->clean_email($this->_headers['Return-Path'])))
return FALSE;
else
return TRUE;
And that is successfully sanitising the email headers and resolving the error that I was receiving (same as the original poster of this question)
This is quite possibly someone trying to take advantage of your code to inject email headers.
http://resources.infosecinstitute.com/email-injection/
I would suggest you examine access logs etc and look for unusual activity. The fact you are getting error messages hopefully means that your script has not been compromised and it is erroring out instead. You need to make sure though.
Suddenly have started receiving the above error without any changes having been made to the script.
Host is 1and1 (I know...)
The script still works fine on a different server, and so my suspicion is that there must have been some server config change that has lead to this, although the hosts plead ignorance.
There's no information on the above error at all in Google that I can find - does anybody have any ideas? Server is running Apache if that helps.
Had just the similar problem.
It came out of the blue. No PHP Code was changed.
What was changed: PHP was upgraded 5.5.25-1 to 5.5.26.
A security risk in PHP mail() function has been fixed and extra newlines in additional_headers are allowed no more. Because extra newlines mean: now starts the email message (and we surely don't want somebody to inject some newlines through headers followed by an evil message).
What previously have worked fine, e.g. just having extra newlines after headers or even passing the whole message to additional_headers, will function no more.
Solution:
Sanitize your headers. No multiple newlines in additional_headers argument. These count as "multiple or malformed newlines": \r\r, \r\0, \r\n\r\n, \n\n, \n\0.
Use additional_headers for headers only. Email message (multipart or not, with ir without attachments, etc) belongs in message argument, not in headers.
PHP Security Bug report: https://bugs.php.net/bug.php?id=68776
C Code diff how its fixed: http://git.php.net/?p=php-src.git;a=blobdiff;f=ext/standard/mail.c;h=448013a472a3466245e64b1cb37a9d1b0f7c007e;hp=1ebc8fecb7ef4c266a341cdc701f0686d6482242;hb=9d168b863e007c4e15ebe4d2eecabdf8b0582e30;hpb=eee8b6c33fc968ef8c496db8fb54e8c9d9d5a8f9
None of the above answers solved this problem for me. So, I expanded my search to "mail with attachment and HTML message issues." Piecing together info from a few different posts, I came up with this. It allows for BOTH HTML email and an attachment.
My original header code:
$header = "From: ".$from_name." <".$from_mail.">\r\n";
$header .= "Reply-To: ".$replyto."\r\n";
$header .= "MIME-Version: 1.0\r\n";
$header .= "Content-Type: multipart/mixed; boundary=\"".$uid."\"\r\n";
$header .= "--".$uid."\r\n";
$header .= "Content-Type: text/html; charset=ISO-8859-1\r\n";
$header .= "Content-Transfer-Encoding: 8bit\r\n";
$header .= $body."\r\n";
$header .= "--".$uid."\r\n";
$header .= "Content-Type: application/pdf; name=\"".$filename."\"\r\n";
$header .= "Content-Transfer-Encoding: base64\r\n";
$header .= "Content-Disposition: attachment; filename=\"".$filename."\"\r\n";
$header .= $content."\r\n";
$header .= "--".$uid."--";
if (mail($mail_to, $subject, "", $header))
{
return "mail_success";
}
else
{
return "mail_error";
}
My new code (complete):
Note that $body is the HTML that is being assembled by a different function.
$file = $path.$filename;
$file_size = filesize($file);
$handle = fopen($file, "r");
$content = fread($handle, $file_size);
fclose($handle);
$content = chunk_split(base64_encode($content));
$uid = md5(uniqid(time()));
$name = basename($file);
$eol = PHP_EOL;
// Basic headers
$header = "From: ".$from_name." <".$from_mail.">".$eol;
$header .= "Reply-To: ".$replyto.$eol;
$header .= "MIME-Version: 1.0\r\n";
$header .= "Content-Type: multipart/mixed; boundary=\"".$uid."\"";
// Put everything else in $message
$message = "--".$uid.$eol;
$message .= "Content-Type: text/html; charset=ISO-8859-1".$eol;
$message .= "Content-Transfer-Encoding: 8bit".$eol.$eol;
$message .= $body.$eol;
$message .= "--".$uid.$eol;
$message .= "Content-Type: application/pdf; name=\"".$filename."\"".$eol;
$message .= "Content-Transfer-Encoding: base64".$eol;
$message .= "Content-Disposition: attachment; filename=\"".$filename."\"".$eol;
$message .= $content.$eol;
$message .= "--".$uid."--";
if (mail($mail_to, $subject, $message, $header))
{
return "mail_success";
}
else
{
return "mail_error";
}
Two key changes here. (1) removed all the multi-part stuff from the headers into $message. (2) removed all the "\r\n" stuff and added $eol = PHP_EOL; to the code.
Together, these changes allowed me to once again send HTML email with attachments.
Had the same problem:
Removed the mime boundary and message from the header and all worked.
$header = "From: ".$from_name." <".$from_mail.">\n";
$header .= "Reply-To: ".$replyto."\n";
$header .= "MIME-Version: 1.0\n";
$header .= "Content-Type: multipart/mixed; boundary=\"".$uid."\"\n\n";
$emessage= "--".$uid."\n";
$emessage.= "Content-type:text/plain; charset=iso-8859-1\n";
$emessage.= "Content-Transfer-Encoding: 7bit\n\n";
$emessage .= $message."\n\n";
$emessage.= "--".$uid."\n";
$emessage .= "Content-Type: application/octet-stream; name=\"".$filename."\"\n"; // use different content types here
$emessage .= "Content-Transfer-Encoding: base64\n";
$emessage .= "Content-Disposition: attachment; filename=\"".$filename."\"\n\n";
$emessage .= $content."\n\n";
$emessage .= "--".$uid."--";
mail($mailto,$subject,$emessage,$header);
None of the above fixed it for me - main issue is you must not put anything other than header definitions in headers. Old scripts bunged anything in there. So move any text or attachments that were stuffed in to headers into the message body. Makes sense..
This has an explanation
(I guess it's same solution as Frank's above plus Davisca's "no double new lines" - but you need doubled new lines for attachments)
This will solve your problem. I have changed a little bit of Frank's code. This code will support attachment and html.
<?php
$filename = "certificate.jpg";
$path = "/home/omnibl/subdomains/test/certificate/certimage/";
$file = $path . $filename;
$file_size = filesize($file);
$handle = fopen($file, "r");
$content = fread($handle, $file_size);
fclose($handle);
$content = chunk_split(base64_encode($content));
$uid = md5(uniqid(time()));
$name = basename($file);
$eol = PHP_EOL;
$subject = "Mail Out Certificate";
$message = '<h1>Hi i m mashpy</h1>';
$from_name = "mail#example.com";
$from_mail = "mail#example.com";
$replyto = "mail#example.com";
$mailto = "mail#example.com";
$header = "From: " . $from_name . " <" . $from_mail . ">\n";
$header .= "Reply-To: " . $replyto . "\n";
$header .= "MIME-Version: 1.0\n";
$header .= "Content-Type: multipart/mixed; boundary=\"" . $uid . "\"\n\n";
$emessage = "--" . $uid . "\n";
$emessage .= "Content-type:text/html; charset=iso-8859-1\n";
$emessage .= "Content-Transfer-Encoding: 7bit\n\n";
$emessage .= $message . "\n\n";
$emessage .= "--" . $uid . "\n";
$emessage .= "Content-Type: application/octet-stream; name=\"" . $filename . "\"\n"; // use different content types here
$emessage .= "Content-Transfer-Encoding: base64\n";
$emessage .= "Content-Disposition: attachment; filename=\"" . $filename . "\"\n\n";
$emessage .= $content . "\n\n";
$emessage .= "--" . $uid . "--";
mail($mailto, $subject, $emessage, $header);
Another scenario that brings the same new error is if you are not sending any headers to the "mail" command. It used to just use a default, and now gives the misleading error: "Multiple or malformed newlines found in additional_header".
Can be fixed by adding this:
$header = "From: ".$from_name." <".$from_mail.">\n";
$header .= "Reply-To: ".$replyto."\n";
$header .= "MIME-Version: 1.0\n";
...
mail($mailto,$subject,$emessage,$header);
my PHP version - 5.4.43,
probably contains Fixed bug #68776.
googling to the same error showed [http://fossies.org/diffs/php/5.4.42_vs_5.4.43/ext/standard/mail.c-diff.html]
=> I cannot use empty strings as mail() parameters.
my old code:
$headers = 'From: ' . $frm . "\r\n";
$headers .= 'To: ' . $contactEmail . "\r\n";
if ( $flag ) {
$headers .= 'To: ' . $contactEmail2 . "\r\n";
}
$headers .= 'Cc: ' . $contactEmailCc . "\r\n";
$headers .= 'Bcc: ' . $contactEmailBcc . "\r\n";
$headers .= 'Return-Path: ' . $frm . "\r\n";
$headers .= 'MIME-Version: 1.0' ."\r\n";
$headers .= 'Content-Type: text/HTML; charset=ISO-8859-1' . "\r\n";
$headers .= 'Content-Transfer-Encoding: 8bit'. "\n\r\n";
$headers .= $htmlText . "\r\n";
if (!mail('', $strSubject, '', $headers)) { // !!! note the empty parameters.
my new code:
$headers = 'From: ' . $frm . "\r\n";
// note: no "To: " !!!
$headers .= 'Cc: ' . $contactEmailCc . "\r\n";
$headers .= 'Bcc: ' . $contactEmailBcc . "\r\n";
$headers .= 'Return-Path: ' . $frm . "\r\n";
$headers .= 'MIME-Version: 1.0' ."\r\n";
$headers .= 'Content-Type: text/HTML; charset=ISO-8859-1' . "\r\n";
$headers .= 'Content-Transfer-Encoding: 8bit'. "\n\r\n";
// note: no $htmlText !!!
// note: new parameters:
$mTo = $contactEmail;
if ( $flag ) {
$mTo .= ', ' . $contactEmail2;
}
$mMessage .= $htmlText . "\r\n";
if (!mail($mTo, $strSubject, $mMessage, $headers)) {
You may be running into Bug #69874 Can't set empty additional_headers for mail() if you haven't done anything stupid (i.e. forgot to sanitize the headers).
Test for the bug
$ php -d display_errors=1 -d display_startup_errors=1 -d error_reporting=30719 -r 'mail("test#email.com","Subject Here", "Message Here",NULL);'
Warning: mail(): Multiple or malformed newlines found in additional_header in Command line code on line 1
Alternately if you know your PHP version (hint: php -v) you can check the changelog for the bug number (69874) to see whether the fix has been applied for your version.
A short-term fix is to replace calls to mail() like this
function fix_mail( $to , $subject , $message , $additional_headers =NULL, $additional_parameters=NULL ) {
$to=filter_var($to, FILTER_SANITIZE_STRING, FILTER_FLAG_NO_ENCODE_QUOTES| FILTER_FLAG_STRIP_LOW| FILTER_FLAG_STRIP_HIGH);
$subject=filter_var($subject, FILTER_SANITIZE_STRING, FILTER_FLAG_NO_ENCODE_QUOTES| FILTER_FLAG_STRIP_LOW| FILTER_FLAG_STRIP_HIGH);
if (!$additional_headers)
return mail( $to , $subject , $message );
if (!$additional_parameters)
return mail( $to , $subject , $message , $additional_headers );
return mail( $to , $subject , $message , $additional_headers, $additional_parameters );
}
Incase this helps anyone, I am using PHP 5.6 and an old code igniter v1 email library
email.php: line 1510 - I've added this:
$this->_header_str = str_replace("\r\r","",$this->_header_str);
$this->_header_str = str_replace("\r\0","",$this->_header_str);
$this->_header_str = str_replace("\r\n\r\n","",$this->_header_str);
$this->_header_str = str_replace("\n\n","",$this->_header_str);
$this->_header_str = str_replace("\n\0","",$this->_header_str);
above this line:
if ( ! mail($this->_recipients, $this->_subject, $this->_finalbody, $this->_header_str, "-f ".$this->clean_email($this->_headers['Return-Path'])))
return FALSE;
else
return TRUE;
And that is successfully sanitising the email headers and resolving the error that I was receiving (same as the original poster of this question)
This is quite possibly someone trying to take advantage of your code to inject email headers.
http://resources.infosecinstitute.com/email-injection/
I would suggest you examine access logs etc and look for unusual activity. The fact you are getting error messages hopefully means that your script has not been compromised and it is erroring out instead. You need to make sure though.
Just to be clear - I didn't write this code, this is from a previous developer.
Anyway, my client isn't receiving images when uploaded via their form, just a red box with an error message.
As per request here is the whole code:
<?php
function sendMail() {
if (!isset ($_POST['to_email'])) { //Oops, forgot your email addy!
die ("<p>Oops! You forgot to fill out the email address! Click on the back arrow to go back</p>");
}
else {
$to_name = stripslashes($_POST['to_name']);
$from_name = stripslashes($_POST['from_name']);
$from_telephone = stripslashes($_POST['from_telephone']);
$subject = stripslashes($_POST['subject']);
$body = stripslashes($_POST['body']);
$address = stripslashes($_POST['address']);
$to_email = $_POST['to_email'];
$attachment = $_FILES['attachment']['tmp_name'];
$attachment_name = $_FILES['attachment']['name'];
if (is_uploaded_file($attachment)) { //Do we have a file uploaded?
$fp = fopen($attachment, "rb"); //Open it
$data = fread($fp, filesize($attachment)); //Read it
$data = chunk_split(base64_encode($data)); //Chunk it up and encode it as base64 so it can emailed
fclose($fp);
}
//Let's start our headers
$headers = "From: $from_name<" . $_POST['from_email'] . ">\n";
$headers .= "Reply-To: <" . $_POST['from_email'] . ">\n";
$headers .= "MIME-Version: 1.0\n";
$headers .= "Content-Type: multipart/related; type=\"multipart/alternative\"; boundary=\"----=MIME_BOUNDRY_main_message\"\n";
$headers .= "X-Sender: $from_name<" . $_POST['from_email'] . ">\n";
$headers .= "X-Mailer: PHP4\n";
$headers .= "X-Priority: 3\n"; //1 = Urgent, 3 = Normal
$headers .= "Return-Path: <" . $_POST['from_email'] . ">\n";
$headers .= "This is a multi-part message in MIME format.\n";
$headers .= "------=MIME_BOUNDRY_main_message \n";
$headers .= "Content-Type: multipart/alternative; boundary=\"----=MIME_BOUNDRY_message_parts\"\n";
$message = "------=MIME_BOUNDRY_message_parts\n";
$message .= "Content-Type: text/plain; charset=\"iso-8859-1\"\n";
$message .= "Content-Transfer-Encoding: quoted-printable\n";
$message .= "\n";
/* Add our message, in this case it's plain text. You could also add HTML by changing the Content-Type to text/html */
$message .= "Return call on: $from_telephone\n\n";
$message .= "$address\n\n";
$message .= "$body\n";
$message .= "\n";
$message .= "------=MIME_BOUNDRY_message_parts--\n";
$message .= "\n";
$message .= "------=MIME_BOUNDRY_main_message\n";
$message .= "Content-Type: application/octet-stream;\n\tname=\"" . $attachment_name . "\"\n";
$message .= "Content-Transfer-Encoding: base64\n";
$message .= "Content-Disposition: attachment;\n\tfilename=\"" . $attachment_name . "\"\n\n";
$message .= $data; //The base64 encoded message
$message .= "\n";
$message .= "------=MIME_BOUNDRY_main_message--\n";
// send the message
mail("$to_name<$to_email>", $subject, $message, $headers);
print "<p align=\"center\">Thank you for your email.</p>";
}
}
switch ($action) {
case "send":
showForm();
sendMail();
break;
default:
showForm();
}
?>
I'm completely confused by this code as I didn't write it and can't decrypt why "$attachment" and "$attachment_name" are separate strings, if I change the "attachment_name" to "attachment" will my problems be fixed?
The code that you have seems to work for me, but there are a few potential problems. I think perhaps the most important one is that the image is sent using an incorrect Content-Type:, but there are also some other issues detailed below.
Image type
$message .= "Content-Type: application/octet-stream;\n\tname=\"" . $attachment_name . "\"\n";
The application/octet-stream is used as a last resort for sending arbitrary binary data when there is no appropriate content type, or the content type is unknown. You should use a proper image type:
$message .= "Content-Type: " . $_FILES['attachement']['type']
. ";\n\tname=\"" . $attachment_name . "\"\n";
If you want to prevent users from mailing arbitrary files, you can use a white-list:
if (is_uploaded_file($attachment) &&
in_array ($attachment_type, array ('image/gif', 'image/png', 'image/jpg', 'image/jpeg'))) {
$fp = fopen($attachment, "rb"); //Open it
$data = fread($fp, filesize($attachment)); //Read it
$data = chunk_split(base64_encode($data)); //Chunk it up and encode it as base64 so it can emailed
fclose ($fp);
} else {
echo "<p>Useful error message\n";
exit;
}
MIME syntax
$headers .= "X-Priority: 3\n"; //1 = Urgent, 3 = Normal
$headers .= "Return-Path: <" . $_POST['from_email'] . ">\n";
$headers .= "This is a multi-part message in MIME format.\n";
The Return-Path: is the last of your headers. The next line is part of the message body. You need a blank line to separate the message body from the headers. Eg:
$headers .= "Return-Path: <" . $_POST['from_email'] . ">\n";
$headers .= "\n";
$headers .= "This is a multi-part message in MIME format.\n";
Personally, I would add the message body to $message instead. The mail() function doesn't care, it just concatenates the headers and message with a line break. See more about line endings below.
$headers .= "------=MIME_BOUNDRY_main_message \n";
$headers .= "Content-Type: multipart/alternative; boundary=\"----=MIME_BOUNDRY_message_parts\"\n";
$message = "------=MIME_BOUNDRY_message_parts\n";
Note that if you do move some of the lines above to $message, you need to insert an extra line break after the Content-Type: header.
$attachment = $_FILES['attachment']['tmp_name'];
$attachment_name = $_FILES['attachment']['name'];
...
$message .= "Content-Disposition: attachment;\n\tfilename=\"" . $attachment_name . "\"\n\n";
$attachment_name is sent by the browser and is typically the original name of the file uploaded by the user. $attachment is the name of the temporary file where the image is stored on the server. The two are entirely different and are not interchangeable.
You may want to strip control characters (such as line breaks) and double quotes from these variables to prevent malicious users from disrupting the syntax of the headers.
Line endings
According to the Mail syntax, lines should be terminated with a CRLF("\r\n") sequence, but it is not clear which line ending should be used when calling the mail() function. The PHP documentation says:
If messages are not received, try using a LF (\n) only. Some Unix mail transfer agents (most notably » qmail) replace LF by CRLF automatically (which leads to doubling CR if CRLF is used). This should be a last resort, as it does not comply with » RFC 2822.
$_POST[] data
You should not use raw data from $_POST[] in your mail headers. A malicious user could easily insert their own headers (such as Bcc:) to send spam to arbitrary addresses. You should at least filter out control characters (such as line breaks) and perhaps also filter or escape angle brackets and double quotes depending on usage.
I have the following function for sending an email:
function send_email($email){
$subject = "TITLE";
$message = "HERE IS THE MESSAGE";
// Always set content-type when sending HTML email
$headers = "MIME-Version: 1.0" . "\r\n";
$headers .= "Content-type:text/html;charset=UTF-8" . "\r\n";
// More headers
$headers .= 'From: <emaily>' . "\r\n";
mail($email,$subject,$message,$headers);
}
Instead of $message being a string, I want to call in the file email.html which holds my template.
I have added this:
require 'email.html';
But how can I call in the file?
$message = [call in email.html here]
Require is used when you want to call functions within another php file, or when you want to include some data to an HTTP response.
For this problem, file_get_contents('email.html') is the preferred option. This would be the method I would use:
function send_email($email){
$subject = "Subject of your email";
$message = "";
if(file_exists("email_template.html")){
$message = file_get_contents('email_template.html');
$parts_to_mod = array("part1", "part2");
$replace_with = array($value1, $value2);
for($i=0; $i<count($parts_to_mod); $i++){
$message = str_replace($parts_to_mod[$i], $replace_with[$i], $message);
}
}else{
$message = "Some Default Message";
/* this likely won't ever be called, but it's good to have error handling */
}
// Always set content-type when sending HTML email
$headers = "MIME-Version: 1.0" . "\r\n";
$headers .= "Content-type:text/html;charset=UTF-8" . "\r\n";
// More headers
$headers .= 'From: <doNotReply#myDomain.com>' . "\r\n";
$headers .= "To: <$email>\r\n";
$header .= "Reply-To: doNotReply#myDomain.com\r\n";
mail($email,$subject,$message,$headers);
}
I modified your code a little bit and added in both the file_get_contents and file_exists. file_exists confirms that the file is there. If it's not, it avoids the potential error from trying to read it in and can be changed to use some default. My next addition was a for loop. In the $parts_to_mod array, enter in the default values from the template that need to be replaced. In the $replace_with array, put in the unique values that you want to replace parts of the template with.
As an example where I use this, I have a template URL for one of my programs that says id=IDENTIFIER&hash=THEHASH so in my program, my parts_to_mod says $parts_to_mod = array("IDENTIFIER", "THEHASH"); and my replace_with says $replace_with = array($theUsersIdentifier, $theUsersHash);. It then enters the for-loop and replaces the those values in parts_to_modify with the values in replace_with.
Simple concepts and they make your code much shorter and easier to maintain.
Edit:
Here is some sample code:
Let's the say the template is:
<span>Dear PUTNAMEHERE,</span><br>
<div>PUTMESSAGEHERE</div>
<div>Sincerely,<br>PUTSENDERHERE</div>
So, in your php code you'd say:
$parts_to_mod = array("PUTNAMEHERE", "PUTMESSAGEHERE", "PUTSENDERHERE");
$replace_with = array($name, $theBodyOfYourEmail, $whoYouAre);
just use file_get_contents('email.html') This method returns a string with the file contents
You can use this function to call custom email template.
function email($fields = array(),$name_file, $from, $to) {
if(!empty($name_file)) {
$mail_tem_path = 'templates/mails/mail--'.$name_file.'.php'; //change path of files and type file.
if(file_exists($mail_tem_path)) {
$headers = "MIME-Version: 1.0". "\r\n";
$headers .= "Content-Type: text/html;charset=UTF-8". "\r\n";
// Additional headers
$headers .= "From:".$fields["subject_from"]." <$from>". "\r\n";
$headers .= "Content-Transfer-Encoding: 8Bit". "\r\n";
$message = file_get_contents($mail_tem_path);
$message = preg_replace("/\"/", "'", $message);
foreach ($fields as $field) {
// Replace the % with the actual information
$message = str_replace('%'.$field["name"].'%', $field["value"], $message);
}
$send = mail($to, $fields["subject"], $message, $headers);
} else {
$send = mail($to, "Error read mail template", "Contact with admin to repair this action.");
}
} else {
$send = mail($to, "Error no exist mail template", "Contact with admin to repair this action.");
}
return $send;
}
Template html
<html>
<body>
TODO write content %value_on_array%
</body>
</html>
Array and execute function.
$fields = array(
"subject" => "tienda_seller_subject",
"subject_from" => "tienda_email_subject_from",
0 => array(
"name" => "value_on_array",
"value" => "result before change"
),
);
//email($fields = array(),$name_file, $from, $to);
email($fields, 'admin', 'owner#email.com', 'client#email.com');
Result
I'm trying to email an image on my server as an attachment. To accomplish this task, I used the following PHP script which grabs a JPG (called "php.jpg") located in a directory called "screenshots" from my server and sends it as an attachment.
<?php
$path = "screenshots/php.jpg";
$fp = fopen($path, 'r');
do //we loop until there is no data left
{
$data = fread($fp, 8192);
if (strlen($data) == 0) break;
$content .= $data;
} while (true);
$content_encode = chunk_split(base64_encode($content));
$mime_boundary = "<<<--==+X[".md5(time())."]";
$headers .= "From: Automatic <an.e.mail#domain.net>\r\n";
$headers .= "To: SomeName <me#gmail.com>\r\n";
$headers .= "MIME-Version: 1.0\r\n";
$headers .= "Content-Type: multipart/mixed;\r\n";
$headers .= " boundary=\"".$mime_boundary."\"";
$message .= "This is a multi-part message in MIME format.\r\n";
$message .= "\r\n";
$message .= "--".$mime_boundary."\r\n";
$message .= "Content-Type: text/plain; charset=\"iso-8859-1\"\r\n";
$message .= "Content-Transfer-Encoding: 7bit\r\n";
$message .= "\r\n";
$message .= "Email content and what not: \r\n";
$message .= "This is the file you asked for! \r\n";
$message .= "--".$mime_boundary."\r\n";
$message .= "Content-Type: image/jpeg;\r\n";
$message .= " name=\"php.jpg\"\r\n";
$message .= "Content-Transfer-Encoding: quoted-printable\r\n";
$message .= "Content-Disposition: attachment;\r\n";
$message .= " filename=\"php.jpg\"\r\n";
$message .= "\r\n";
$message .= $content_encode;
$message .= "\r\n";
$message .= "--".$mime_boundary."\r\n";
$ok = mail("me#gmail.com", "file by email", $message, $headers);
Overall, the script works. I receive an email in my inbox containing the message text specified above and a JPG attachment. Stack Overflow won't let me post a photo because I'm new, but a screenshot of the message is available here: http://i48.tinypic.com/xfuee0.png
My problem occurs when I try to view the attachment. Clicking the attachment simply opens a new browser window and displays a missing image icon.
Do you see any problems with my script that would prevent the image from appearing?
Any info would be great. Thanks!
To anyone who comes across this post in the future, the problem came from the "Content-Transfer-Encoding" which should have been set to base64.
$message .= "Content-Transfer-Encoding: quoted-printable\r\n";
becomes:
$message .= "Content-Transfer-Encoding: base64\r\n";
I can see one possible reason why you're not seeing your image. (There may be more (!).)
Try changing:
$message .= "--".$mime_boundary."\r\n";
to
$message .= "--".$mime_boundary."--\r\n";
For the last line before the call to mail (ie the "epilogue" boundary).
Three things jump out:
One is that the first append to variables $content and $message and $headers doesn't explicitly set a new value. That is, why not
$headers = "From: Automatic <an.e.mail#domain.net>\r\n";
instead of like you have:
$headers .= "From: Automatic <an.e.mail#domain.net>\r\n";
That eliminates the possibility that some leftover stuff is hanging out in the variables.
The second is that there is \r\n instead of plain \n which should work on every system, even Windows. I doubt this is a problem though.
Third is the closing mime boundary isn't the same as the open.