I have a contact form on my website, and everything works like a charm. I am using a anti-injection validation script, that I suspect is supposed to send a notification when somebody attempts to use header injection. I have tested this thouroghly and cannot determine why it will not notify me on the event of an abuse. The script is below.
<?php
/* Set e-mail recipient */
$myemail = "email#gmail.com";
/* Check all form inputs using check_input function */
$subject = check_input($_POST['subject'], "Please enter your name");
$email = check_input($_POST['email'], "Please enter your email");
$form = check_input($_POST['form'], "Please write your message");
function logbad($value)
{
// Start of validation; this is where the problem is
$report_to = "email#gmail.com";
$name = "Matt";
$mail = "$email";
// replace this with your own get_ip function...
$ip = (empty($_SERVER['REMOTE_ADDR'])) ? 'empty'
: $_SERVER['REMOTE_ADDR'];
$rf = (empty($_SERVER['HTTP_REFERER'])) ? 'empty'
: $_SERVER['HTTP_REFERER'];
$ua = (empty($_SERVER['HTTP_USER_AGENT'])) ? 'empty'
: $_SERVER['HTTP_USER_AGENT'];
$ru = (empty($_SERVER['REQUEST_URI'])) ? 'empty'
: $_SERVER['REQUEST_URI'];
$rm = (empty($_SERVER['REQUEST_METHOD'])) ? 'empty'
: $_SERVER['REQUEST_METHOD'];
$headers = "MIME-Version: 1.0\n";
$headers .= "Content-type: text/plain; charset=iso-8859-1\n";
$headers .= "X-Priority: 1\n";
$headers .= "X-MSMail-Priority: Normal\n";
$headers .= "X-Mailer: php\n";
$headers .= "From: \"".$nama."\" <".$mail.">\r\n\r\n";
#mail
(
$report_to
,"[ABUSE] mailinjection # " .
$_SERVER['HTTP_HOST'] . " by " . $ip
,"Stopped possible mail-injection # " .
$_SERVER['HTTP_HOST'] . " by " . $ip .
" (" . date('d/m/Y H:i:s') . ")\r\n\r\n" .
"*** IP/HOST\r\n" . $ip . "\r\n\r\n" .
"*** USER AGENT\r\n" . $ua . "\r\n\r\n" .
"*** REFERER\r\n" . $rf . "\r\n\r\n" .
"*** REQUEST URI\r\n" . $ru . "\r\n\r\n" .
"*** REQUEST METHOD\r\n" . $rm . "\r\n\r\n" .
"*** SUSPECT\r\n--\r\n" . $value . "\r\n--"
,$headers
);
}
// Check 1
//First, make sure the form was posted from a browser.
// For basic web-forms, we don't care about anything
// other than requests from a browser:
if(!isset($_SERVER['HTTP_USER_AGENT']))
{
die('Forbidden - You are not authorized to view this page (0)');
exit;
}
// Cek 2
// Make sure the form was indeed POST'ed:
// (requires your html form to use: action="post")
if(!$_SERVER['REQUEST_METHOD'] == "POST")
{
die('Forbidden - You are not authorized to view this page (1)');
exit;
}
// Host names from where the form is authorized
// to be posted from:
$authHosts = array("cover.com");
// Where have we been posted from?
$fromArray = parse_url(strtolower($_SERVER['HTTP_REFERER']));
// Test to see if the $fromArray used www to get here.
$wwwUsed = strpos($fromArray['host'], "www.");
// Make sure the form was posted from an approved host name.
if(!in_array(($wwwUsed === false ? $fromArray['host'] : substr(stristr($fromArray['host'], '.'), 1)), $authHosts))
{
logbad("Form was not posted from an approved host name");
die(' Forbidden - You are not authorized to view this page (2)');
exit;
}
// Attempt to defend against header injections:
$badStrings = array("content-type:",
"mime-version:",
"content-transfer-encoding:",
"multipart/mixed",
"charset=",
"bcc:",
"cc:");
// Loop through each POST'ed value and test if it contains
// one of the $badStrings:
foreach($_POST as $k => $v)
{
foreach($badStrings as $v2)
{
if(strpos(strtolower($v), $v2) !== false)
{
logbad($v);
die('<strong>Form processing cancelled:<br /></strong> string
(`'.$v.'`)<strong> contains text portions that
are potentially harmful to this server. <br />Your input
has not been sent! <br />Please use your browser\'s
`back`-button to return to the previous page and try
rephrasing your input.</strong>');
exit;
}
}
}
// Made it past spammer test, free up some memory
// and continuing the rest of script:
unset($k, $v, $v2, $badStrings, $authHosts, $fromArray, $wwwUsed);
/* If e-mail is not valid show error message */
$addr_spec = '([^\\x00-\\x20\\x22\\x28\\x29\\x2c\\x2e\\x3a-\\x3c'.
'\\x3e\\x40\\x5b-\\x5d\\x7f-\\xff]+|\\x22([^\\x0d'.
'\\x22\\x5c\\x80-\\xff]|\\x5c[\\x00-\\x7f])*\\x22)'.
'(\\x2e([^\\x00-\\x20\\x22\\x28\\x29\\x2c\\x2e'.
'\\x3a-\\x3c\\x3e\\x40\\x5b-\\x5d\\x7f-\\xff]+|'.
'\\x22([^\\x0d\\x22\\x5c\\x80-\\xff]|\\x5c\\x00'.
'-\\x7f)*\\x22))*\\x40([^\\x00-\\x20\\x22\\x28'.
'\\x29\\x2c\\x2e\\x3a-\\x3c\\x3e\\x40\\x5b-\\x5d'.
'\\x7f-\\xff]+|\\x5b([^\\x0d\\x5b-\\x5d\\x80-\\xff'.
']|\\x5c[\\x00-\\x7f])*\\x5d)(\\x2e([^\\x00-\\x20'.
'\\x22\\x28\\x29\\x2c\\x2e\\x3a-\\x3c\\x3e\\x40'.
'\\x5b-\\x5d\\x7f-\\xff]+|\\x5b([^\\x0d\\x5b-'.
'\\x5d\\x80-\\xff]|\\x5c[\\x00-\\x7f])*\\x5d))*';
if (!preg_match("!^$addr_spec$!", $email))
{
show_error("E-mail address not valid");
}
if (strtolower($_POST['code']) != 'rowingcover') {die('The following error occured: <br />Wrong anti-spam code. <br />
Go back');}
/* Let's prepare the message for the e-mail */
$message = "Cover.com Contact Form
From:
$subject
$email
Message
$form
";
/* Send the message using mail() function */
mail($myemail, $subject, $message, "From: $email");
/* Redirect visitor to the thank you page */
header('Location: contact_received.html');
exit();
/* Functions we used */
function check_input($data, $problem='')
{
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
if ($problem && strlen($data) == 0)
{
show_error($problem);
}
return $data;
}
function show_error($myError)
{
?>
<html>
<body>
<b>Please correct the following error:</b><br />
<?php echo $myError; ?><br />
Go back
</body>
</html>
<?php
exit();
}
?>
I am relatively new to php, so any help would be much appreciated.
Thanks,
Matt
Your problem might be that you are using double quotes with # in your variable:
should be: $report_to = 'email#gmail.com'; or $report_to = "email\#gmail.com";
Just posting as answer from my comment since you got it solved by that.
The thing was that using an array inside a variable without scaping it will result in a empty array in your case which would give you a possible wrong email.
You welcome :)
I have found a few things that might contribute to that.
1)
$mail = "$email";
$email isn't defined (you're inside a function), and there is no reason to put quotes around a variable. This means $mail = "";
2)
$headers .= "From: \"".$nama."\" <".$mail.">\r\n\r\n";
You said $nama instead of $name, this means that line is actually:
$headers .= "From: <>\r\n\r\n";
It's a bit difficult to see the reason. Try defining your subject and message before your mail function (makes it much easier to read).
Don't use the "#mail" as that will NOT tell you any errors it runs into. While debugging, you definitely want error messages.
Try sending a normal text email before you send an HTML error (in that function), it might help make things simple. Then slowly implement HTML, see where it breaks.
This following lines looks wrong.
$mail = "$email"; should be $mail = $email;
#mail( should be just mail( This is probably the line preventing your mail being sent!
mail($myemail, $subject, $message, "From: $email"); should be
mail($myemail, $subject, $message, "From:".$email);
Hope that helps.
Thanks to Prix who answered my question in the comments:
$report_to = "email#gmail.com"; either
use single quote or scape the #
$report_to = 'email#gmail.com'; or
$report_to = "email\#gmail.com"; since
the # is treathed as an array it will
not read as email#gmail.com under
double quotes. – Prix 4 mins ago
Related
I have a php contact form which has been working reliably for several years up until Jan 2022. It uses a Google reCaptcha. Apparently it fails at the mailcheck part which is near the end and prints out the "MAIL Sending Failed" message
<?php
//dont need these
error_reporting(E_ALL);
ini_set('display_errors', 1);
// check form is submitted
if ( isset($_POST['form_submit']) ) {
// get values
$error = ''; //error variable
$visitor_name = $_POST['name'];
$visitor_email = $_POST['email'];
$visitor_message = $_POST['message'];
$captcha = $_POST['g-recaptcha-response'];
//required values
if ( empty($visitor_name) || empty($visitor_email) ) {
$error = "<h3>Name and Email are required. END.</h3>";
}
//required captcha
if ( empty($captcha) ) {
$error = "<h3>Please check the the captcha form. END.</h3>";
}
// if no errors
if( empty($error) ){
$secretKey = " *** hidden *** ";
$ip = $_SERVER['REMOTE_ADDR'];
// post request to server
$url = 'https://www.google.com/recaptcha/api/siteverify?secret=' .
urlencode($secretKey) . '&response=' . urlencode($captcha);
$response = file_get_contents($url);
$responseKeys = json_decode($response, true);
// should return JSON with success as true
if ($responseKeys["success"]) {
echo '<h3>Captcha Success. Writing Mail...</h3>';
// write mail
$to = " *** my user email ***.com";
$email_subject = "C&H form v2c inquiry";
// To send HTML mail, the Content-type header must be set
// If the From header is not set, then Luxsci servers reject
// $headers = "";
$headers = "From: *** my email ***.com \r\n";
$headers .= "Reply-To: $visitor_email \r\n";
$headers .= "MIME-Version: 1.0 \r\n";
$headers .= "Content-type: text/html; charset=iso-8859-1 \r\n";
$headers .= "X-Mailer: PHP/".phpversion();
$email_body = "message from " . $visitor_name . "<br>" .
"sender's email: " . $visitor_email . "<br>" .
"here is the message: " . $visitor_message;
// compose headers
//Send the mail
$mail_check = mail($to, $email_subject, $email_body, $headers);
if ($mail_check) {
echo "<h5>Mail sending successful. Redirecting... </h5>";
echo '<script> window.location.href = "thank_you_CG.html"; </script>';
} else {
echo "<h5>MAIL sending failed.</h5><br<br>
<h3> This is the failure message it sends out HERE </h3>";
}
} else { // if response not success
echo '<h3>reCaptcha verification failed!</h3>';
echo "Response from reCaptcha: <br>";
print_r($responseKeys);
}
} else { //if errors
echo $error;
exit;
}
}
I can also add the html but there seems to be no problem with that. As mentioned this php form was working fine for years then stopped. I've heard that the Google recaptcha uses a smaller string now?
I am trying to parse some HTML from files into a PHP variable to send across HTML email, but I am struggling. It doesn't output anything at all when loaded. Only the submit button is echoed. What am I doing wrong? I know it's probably a lot, but can someone please advise me on how to get this to work?
I will end up using AJAX for the submit button so the page isn't reloaded, but the content (at the moment) isn't even displaying. It's a lot of code, so I decided to break it up into files to make it easier to read and easier to inject.
<?php
// Setting mail options
$to = $_POST["clientemail"];
$subject = $_POST["subject"];
// Are we debugging?
$debug = true;
// Set content-type header for sending HTML email
$headers = "MIME-Version: 1.0" . "\r\n";
$headers .= "Content-type:text/html;charset=UTF-8" . "\r\n";
// Additional headers
$headers .= 'From: CodexWorld<"postmaster#intel-web.co.uk">' . "\r\n";
$headers .= 'Cc: b.ravetta#gmail.com' . "\r\n";
$headers .= 'Bcc: admin#intel-web.co.uk' . "\r\n";
// Place all HTML content into one big fucking message.
$head = file_get_contents("head.html");
$body = file_get_contents("body.html");
$footnotes = file_get_contents("footer.html");
if($_POST["packageid"] == 1)
{
$content = file_get_contents("fb.html");
}
if($_POST["packageid"] == 2)
{
$content = file_get_contents("aw.html");
}
if($_POST["packageid"] == 3)
{
$content = file_get_contents("mobi.html");
};
$messagecontent =
echo $head;
echo $body;
echo $content;
echo $footnotes;
;
// Where the message content ends.
echo "<form method='POST' action=''>
<input type='submit' name='sendmail' value='Send Email'>
</form>";
if (isset($_POST['sendmail']))
if(mail($to,$subject,$messagecontent,$headers)):
$successMsg = 'Email has sent successfully.';
else:
$errorMsg = 'Email sending fail.';
endif;
// Debug Shit
if ($debug)
ini_set('display_errors', 1);
ini_set('display_startup_errors', 1);
error_reporting("E_STRICT")
?>
I'm surprised that you even get a submit button at all. Because
$messagecontent =
echo $head;
echo $body;
echo $content;
echo $footnotes;
;
should actually raise a syntax error for an unexpected T_ECHO.
If you want to concatenate a string, that's how you do it:
$messagecontent = $head . $body . $content . $footnotes;
If you fix that, you will still only get the submit button after submitting the form, because while you will send the mail, you do nothing with your success / error message. You might want to do something like
if (isset($_POST['sendmail'])) {
if(mail($to,$subject,$messagecontent,$headers)) {
$successMsg = 'Email has sent successfully.';
echo $successMsg;
} else {
$errorMsg = 'Email sending fail.';
echo $errorMsg;
}
}
(Note: I also changed the syntax of your if statements to an accepted standard. see http://www.php-fig.org/psr/)
Also, you might want to change the error reporting settings in the php.ini and not in the file. Because if you do have a parse error, you won't see it (because the file can't be parsed and so display_errors won't get set to 1.
I know I'm being sent a status of '1' from this process file as my JavaScript resulting is functioning. Problem is that I'm not getting the email.
<?php
//Retrieve form data.
//GET - user submitted data using AJAX
//POST - in case user does not support javascript, we'll use POST instead
$name = ($_GET['name']) ? $_GET['name'] : $_POST['name'];
$email = ($_GET['email']) ?$_GET['email'] : $_POST['email'];
$comment = ($_GET['comment']) ?$_GET['comment'] : $_POST['comment'];
//flag to indicate which method it uses. If POST set it to 1
if ($_POST) $post=1;
//Simple server side validation for POST data, of course,
//you should validate the email
if (!$name) $errors[count($errors)] = 'Please enter your name.';
if (!$email) $errors[count($errors)] = 'Please enter your email.';
if (!$comment) $errors[count($errors)] = 'Please enter your comment.';
//if the errors array is empty, send the mail
if (!$errors) {
//recipient - change this to your name and email
$to = 'myemail#gmail.com';
//sender
$from = $name . ' <' . $email . '>';
//subject and the html message
$subject = 'Comment from ' . $name;
$message = '
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head></head>
<body>
<table>
<tr><td>Name</td><td>' . $name . '</td></tr>
<tr><td>Email</td><td>' . $email . '</td></tr>
<tr><td>Comment</td><td>' . nl2br($comment) . '</td></tr>
</table>
</body>
</html>';
//send the mail
$result = sendmail($to, $subject, $message, $from);
//if POST was used, display the message straight away
if ($_POST) {
if ($result) echo 'Thank you! We have received your message.';
else echo 'Sorry, unexpected error. Please try again later';
//else if GET was used, return the boolean value so that
//ajax script can react accordingly
//1 means success, 0 means failed
} else {
echo $result;
}
//if the errors array has values
} else {
//display the errors message
for ($i=0; $i<count($errors); $i++) echo $errors[$i] . '<br/>';
echo 'Back';
exit;
}
//Simple mail function with HTML header
function sendmail($to, $subject, $message, $from) {
$headers = "MIME-Version: 1.0" . "\r\n";
$headers .= "Content-type:text/html;charset=iso-8859-1" . "\r\n";
$headers .= 'From: ' . $from . "\r\n";
$result = mail($to,$subject,$message,$headers);
if ($result) return 1;
else return 0;
}
?>
You mentioned you are using GoDaddy. GoDaddy requires you set the sender address legitimately to match the domain of the site it is sending from or use SMTP with Authentication.
There is a huge gaping hole with this method of sending email. Spammers can easily override the From: header by inserting additional recipients.
I'm not sure how mail centric your application plans to be, but I would recommend using a package like PHPMailer or PEAR::Mail as it takes care of email handling for you at a much higher level. This let's you focus on more important parts of your application. The built-in PHP mail() feature is very limited in its abilities and as you try to extend your mail capabilities you'll run into many road blocks that the base mail() function just cannot handle without a lot of additional logic on your behalf (attachments, MIME-types, etc come to mind).
when testing mails you can test it directly to your server, php mail has a function that already runs on it. if you test it on xampp locally it will not send , unless you have set the php mailer in localhost. but for me its better to test it on server than in localhost.
Might be easier to look at this fiddle: http://jsfiddle.net/pkAGz/ and the process.php code is shown below:
<?php
//Retrieve form data.
//GET - user submitted data using AJAX
//POST - in case user does not support javascript, we'll use POST instead
$name = ($_GET['name']) ? $_GET['name'] : $_POST['name'];
$email = ($_GET['email']) ?$_GET['email'] : $_POST['email'];
//flag to indicate which method it uses. If POST set it to 1
if ($_POST) $post=1;
//Simple server side validation for POST data, of course,
//you should validate the email
if (!$name) $errors[count($errors)] = 'Please enter a name.';
//if the errors array is empty, send the mail
if (!$errors) {
$name = $name[array_rand($name)];
$to = '$name <$name email adress if set>';
//sender
$from = $name . ' <' . $email . '>';
//subject and the html message
$subject = 'Comment from ' . $name;
$message = '
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head></head>
<body>
<table>
<tr><td>Name</td><td>' . $name . '</td></tr>
<tr><td>Email</td><td>' . $email . '</td></tr>
</table>
</body>
</html>';
//send the mail
$result = sendmail($to, $subject, $message, $from);
//echo "\n\n$name has been nominated to make the tea!\n\n";
//echo "\n\nThey will also be notified by e-mail if you entered their address.\n\n";
//if POST was used, display the message straight away
if ($_POST) {
if ($result) echo "\n\n$name has been nominated to make the tea!\n\nThey will also be notified by e-mail if you entered their address.\n\n";
else echo 'Sorry, unexpected error. Please try again later';
//else if GET was used, return the boolean value so that
//ajax script can react accordingly
//1 means success, 0 means failed
} else {
echo $result;
}
//if the errors array has values
} else {
//display the errors message
for ($i=0; $i<count($errors); $i++) echo $errors[$i] . '<br/>';
echo 'Back';
exit;
}
//Simple mail function with HTML header
function sendmail($to, $subject, $message, $from) {
$headers = "MIME-Version: 1.0" . "\r\n";
$headers .= "Content-type:text/html;charset=iso-8859-1" . "\r\n";
$headers .= 'From: ' . $from . "\r\n";
$result = mail($to,$subject,$message,$headers);
if ($result) return 1;
else return 0;
}
?>
Once the AJAX request is working the next step is simply work around the code to send an e-mail to the person chosen if their e-mail address was entered - a bit stuck on how to do that as I want the e-mail field to remain optional.
Then obviously, I want to return the name of the person that was picked at random and that will be it!
Thanks,
Martin
Use Firebug for Firefox, or watch the console in Chrome/Safari. So you would have seen that you have a javascript error:
Uncaught ReferenceError: comment is not defined
So the script:
//cancel the submit button default behaviours
return false;
isn't executed and the form is posted normally.
Hey guys,
I know there are a lot better ways to send email with PHP. However, for this purpose the easiest solution is perfect. Only thing: I can't find out why, my validation is not working!
I get the email address, however the validation is not working, I'm able to send a completely empty form. Any ideas?
<?php
//Email
$Name = Trim(stripslashes($_POST['author']));
$EmailFrom = Trim(stripslashes($_POST['email']));
$Subject = Trim(stripslashes($_POST['subject']));
$Comment = Trim(stripslashes($_POST['comment']));
$EmailTo = "myemail#address.com";
/*$Name = "Some Name";
$EmailFrom = "test#test.com";
$Subject = "Test";
$Comment = "Why is the validation not working, don't get it?";
$EmailTo = "myemail#address.com";*/
/*echo $Name . " length: " . strlen($Name) . "<br/>";
echo $EmailFrom . " length: " . strlen($EmailFrom) . "<br/>";
echo $Subject . " length: " . strlen($Subject) . "<br/>";
echo $Comment . " length: " . strlen($Comment) . "<br/>";
echo $EmailTo . " length: " . strlen($EmailTo) . "<br/>";*/
//***************************
//Validation
//***************************
$validationOK=true;
if ($Name == "") $validationOK=false;
if (isValidEmail($EmailFrom) == 0) $validationOK=false;
if ($Subject == "") $validationOK=false;
if ($Comment == "") $validationOK=false;
function isValidEmail( $email = null ) {
return preg_match( "/^[\d\w\/+!=#|$?%{^&}*`'~-][\d\w\/\.+!=#|$?%{^&}*`'~-]*#[A-Z0-9][A-Z0-9.-]{1,61}[A-Z0-9]\.[A-Z]{2,6}$/ix", $email );
}
if (!$validationOK) {
print "error";
}
//***************************
//Order
//***************************
$Body = "Contactform";
$Body .= "\n\n";
$Body .= $Comment;
// Email Headers with UTF-8 encoding
$email_header = "From: " . $EmailFrom . "\r\n";
$email_header .= "Content-Type: text/plain; charset=UTF-8\r\n";
$email_header .= "Reply-To: " . $EmailFrom . " \r\n";
// send email
$success = mail($EmailTo, $Subject, $Body, $email_header);
//***************************
//Success or Error
//***************************
if ($success){
print "success";
}
else{
print "error";
}
?>
you need to return after the condition
if (!$validationOK) {
print "error";
// return or exit
}
dont continue to send mail
You don't end your script after printing "error". You should end the script or make some other change so it won't be sent on error. For example:
if (!$validationOK) {
print "error";
exit;
}
You're printing the word error if $validationOK is false but you're not halting the script at that point so php continues to process the commands after it.
Try the following
if (!$validationOK) {
print "error";
exit();
}
This code:
if (!$validationOK) {
print "error";
}
does not keep your program from sending a mail, it just prints error message.
Don't write your own email validation function when there's tried and tested free software to do it for you.
You are welcome to use my free PHP function is_email() to validate addresses. It's available to download [here][1].
It will ensure that an address is fully RFC 5321 compliant. It can optionally also check whether the domain actually exists and has an MX record.
You shouldn't rely on a validator to tell you whether a user's email address actually exists: some ISPs give out non-compliant addresses to their users, particularly in countries which don't use the Latin alphabet. More in my essay about email validation here: [http://isemail.info/about][2].