I will be passing string containing raw email in which i want to parse headers. Might be Subject, text/html or attachments etc. Please help me on this.
There's other libraries too, but this was my first hit on google.
http://code.google.com/p/php-mime-mail-parser/
You will either needs to find the input in $_SERVER['argv'] or use fopen('php://input', 'r')
this can all be done with the php imap functions
Just use php's regex functions.
Related
I am feeling a bit awkward, because I am generating a mail-body with PHP without escaping the variables. In HTML I am using htmlspecialchars() or similar functions, for command lines escapeshellarg(), but for mails? For example something like this:
<?php
$usercontent = $_GET['usercontent'];
mail("dummy#nowhere.tld", "My Subject", "My body with $usercontent included");
?>
What could a possible attacker do with a script like the one above and how could I protect against such an attack? Or is PHP mail() save and why?
Update
Please refer to the example:
Only the body is affected (No Headers!)
Content-Type is text/plain
Some proof to the answer would be nice
MTA is a postfix sendmail with "/usr/sbin/sendmail -t -i"
The basic e-mail message body is plain text. If you want a different type like HTML or a multipart message, you need to use the MIME extension and specify the type accordingly using Content-Type (e.g. text/html for HTML or multipart/… for a multipart message).
So from the security perspective, there is no way to inject anything harmful (at least not as per specification). Even non-ASCII characters should be handled correctly despite the lacking declaration of the used character encoding.
However, there still may be some flaws in e-mail clients which can be exploited this way. But I doubt that.
Good question. I don't believe you need to escape the body text, but I do know it's possible to add headers to a mail (like a BCC to thousands of addresses) if you allow the user to input a from address. So if you put variables in that, definitely check for newlines (\n and \r) to make sure no additional headers are added.
Think of the body of the email this way: "Mission top secret destination unknown." We may not know what kind of client will read the message, but we can guess that we do not want live, user supplied, unescaped HTML to show up in it. Since many clients read mail in HTML, the best thing to do would be to htmlentities() the user supplied e-mail body.
A method from my escaper class.
<?php
class escaper
{
public function superHtmlEntities($string)
{
return htmlentities($string, ENT_QUOTES | ENT_HTML5, 'UTF-8', true);
}
}
?>
========================================
At minimum, consider something like this and more as you do your research.
<?php
$esc = new Escaper();
$usercontent = $_GET['usercontent'];
mail("dummy#nowhere.tld", "My Subject", $esc->superHtmlEntities("My body with $usercontent included"));
?>
It is not secured against XSS atack because if your mail contains HTML someone can inject it into mail.
The good behaviour is to check and valid data which you expect to have. If I were you I would escape this string. It costs almoust nothing and you don't have to worry about consequences of not using it.
I'm using PHPMailer to send emails.
Now, we all know we need to always check user input.
But how about the subject and body of emails? (so i do not mean the emailadress)
What does need to be sanitized and how to do it? What are the (major) vulnerability's?
Should i'll use something like HTMLPurifier for this? Because i want the user to be able to markup there emails. Or should i'll use/write a BB-code function what can be used?
Update:
For mail body:
I now use htmlspecialchars with ent_quotes flag on. After this ill run a BB-code (jBBCode) parser over the message. This one looks safe now.
For subject:
I do not use any validation/sanitizing/etc. (exept min and max strlen) on the subject field.
Tested with some javascript but it looks like it's all okay.
Can i assume this is safe now? (P.s. the code does not get printed anywhere else than in the email.)
Yes, you need to clean user input before sending. HTMLPurifier and HTMLawed make a fair job of sanitising, but need to be tuned to not block out useful stuff - both err on the side of caution. BBCode or markdown do make things much easier to filter, so long as you don't need to do intricate layouts.
You can use
<?php
filter_var($body, FILTER_SANITIZE_FULL_SPECIAL_CHARS)
to help protect against special characters also you can use RAW such as
<?php
filter_var($body, FILTER_SANITIZE_RAW, FILTER_FLAG_ENCODE_HIGH)
Full details can be found here -> https://secure.php.net/manual/en/function.filter-var.php
I want to extract variable lengths of information from a jpeg-file using PHP, but it is not exif-data.
If I open the jpeg with a simple text editor, I can see that the wanted informations are at the end of the file and seperated by \00.
Like this:
\00DATA\00DATA00DATA\00DATA\000\00DATA
Now if I use PHP's file_get_contents() to load the file into a string, the dividers \00 are gone and other symbols show up.
Like so:
ÿëžDATADATADATADATADATA ÿÙ
Could somebody please eplain:
Why do the \00 dividers vanish?
How to get the informations using PHP?
EDIT
The question is solved, but for those seeking a smarter solution, here is the file I try to obtain the DATA parts from: https://www.dropbox.com/s/5cwnlh2kadvi6f7/test-img.jpg?dl=0 (yes I know its corrupted)
Use instead $data = exif_read_data("PATH/some.jpg") it will give you all headers data about image, you can check its manual here - http://php.net/manual/en/function.exif-read-data.php
I came up with a solution on my own. May not be pretty, but works for me.
Using urlencode(file_get_contents()) I was able to retrieve the \00 parts as %00.
So now it reads like this:
%00DATA%00DATA%00DATA%00DATA%000%00DATA
I can split the string at the %00 parts.
I am going to accept this answer, once SO lets me do so and nobody comes up with a better solution.
I am trying to Integrate an SMS service into my website. I need to make a HTTP call with a param named "msg" (urlencoded).
Currently, I am constructing the entire URL with msg param being urlencoded (i.e $msg = urlencode($msg)), and I am sending the SMS.
$msg = urlencode("Hello World");
Although what I receive on my phone is "Hello+World" and NOT "Hello World".
So is there an issue with file_get_contents ?
Also, is there anyway, I can see the string "file_get_contents" finally sends out ?
Try using rawurlencode() instead.
The principal difference (although there are others) is that it encodes spaces as %20 instead of +. This is quite likely the source of your problem.
I figured what was the issue:
I was using http_build_query to create the query string, and I was passing a urlencode'd param to it. Hence it was being encoded twice.
So is there an issue with file_get_contents ?
No.
Also, is there any way, I can see the string file_get_contents finally sends out ?
Yes, with a network sniffer.
You need to use urldecode() after retrieving data and then display to user
I know how to do this in Ruby, but I want to do this in PHP. Grab a page and be able to parse stuff out of it.
Take a look at cURL. Knowing about cURL and how to use it will help in many ways as it's not specific to PHP. If you want something specific however, you can use file_get_contents which is the recommended way in PHP to get the contents of a file into a string.
$file = file_get_contents("http://google.com/");
How to parse it depends on what you are trying to do, but I'd recommend one of the XML libraries for PHP.
You could use fopen in read mode: fopen($url, 'r'); or more simply file_get_contents($url);. You could also use readfile(), but file_get_contents() is potentially more efficient and therefore recommended.
Note: these are dependent on config (see the linked manual page) but will work on most setups.
For parsing, simplexml is enabled by default in PHP.
$xmlObject = simplexml_load_string($string);
// If the string was valid, you now have a fully functional xml object.
echo $xmlObject->username;
Its funny, I had the opposite question when I started rails development