I want to store angle brackets in a string in PHP because i want to eventually use mail() to send an HTML email out.
The following is the code that doesn't seem to work.
while(...) {
$msg .= "<img src=\"http://.../images/".$media['Path']."\"><br>";
echo "message: ".$msg."<br>";
}
What I want is for $msg to contain a bunch of images (provided by $media['Path']) that are separated by line breaks. Then $msg is passed into mail().
The echo confirms that no images are being sent. And, indeed, I receive no images in the email body. Why is this happening? How can I fix it?
There are two ways of embedding images in an email:
As external references: <img src="http://..."; and
Embedded in the email.
(1) is I guess what you're trying to do. Many mail programs will (rightly) block such images as they are used by spammers to test email accounts for liveness.
It's better to do (2). See PHP Email: Using Embedded Images in HTML Email. Basically you create a multi-part MIME email (so you can attach HTML and the images) and then reference them by cid instead of a true URL. These are far less suspicious to any mail program that receives them but obviously result in bigger emails (as the image might be sent 100,000 times instead of just sending a URL).
Have you inspected the HTML that gets echo'd out? You probably have the wrong image path. Also, if you're going to be emailing that, you need to use an absolute path (http://yoursite.com/images/theimage.jpg rather than images/theimage.jpg).
Also, make sure that you have the headers set up right in the mail() function so that it gets sent as HTML instead of plaintext.
You could also use a mail wrapper such as Swiftmailer or PHPMailer which may help you with your problem. You have said that you are on a time limit though, so it may take you longer to actually convert across to using something like this.
to echo the angle brackets use:
< //<=
> //>=
I think php can not deal with angle brackets as it is:
try the following:
$varone='one';
$vartwo='two';
$b=' <';
$concateOne='With Normal Brackets : '.$varone.'<'.$vartwo.'>'.'<br>';
$concateTwo='With Character Brackets : '.$varone.'<'.$vartwo.'>'.'<br>';
echo $concateOne;
echo '<br>';
echo $concateTwo;
echo '<hr>';
var_dump($concateOne);
echo '<hr>';
var_dump($concateTwo);
echo '<hr>';
when dumping the variable you will find that php do not store the value of the normal brackets.
Related
I am feeling a bit awkward, because I am generating a mail-body with PHP without escaping the variables. In HTML I am using htmlspecialchars() or similar functions, for command lines escapeshellarg(), but for mails? For example something like this:
<?php
$usercontent = $_GET['usercontent'];
mail("dummy#nowhere.tld", "My Subject", "My body with $usercontent included");
?>
What could a possible attacker do with a script like the one above and how could I protect against such an attack? Or is PHP mail() save and why?
Update
Please refer to the example:
Only the body is affected (No Headers!)
Content-Type is text/plain
Some proof to the answer would be nice
MTA is a postfix sendmail with "/usr/sbin/sendmail -t -i"
The basic e-mail message body is plain text. If you want a different type like HTML or a multipart message, you need to use the MIME extension and specify the type accordingly using Content-Type (e.g. text/html for HTML or multipart/… for a multipart message).
So from the security perspective, there is no way to inject anything harmful (at least not as per specification). Even non-ASCII characters should be handled correctly despite the lacking declaration of the used character encoding.
However, there still may be some flaws in e-mail clients which can be exploited this way. But I doubt that.
Good question. I don't believe you need to escape the body text, but I do know it's possible to add headers to a mail (like a BCC to thousands of addresses) if you allow the user to input a from address. So if you put variables in that, definitely check for newlines (\n and \r) to make sure no additional headers are added.
Think of the body of the email this way: "Mission top secret destination unknown." We may not know what kind of client will read the message, but we can guess that we do not want live, user supplied, unescaped HTML to show up in it. Since many clients read mail in HTML, the best thing to do would be to htmlentities() the user supplied e-mail body.
A method from my escaper class.
<?php
class escaper
{
public function superHtmlEntities($string)
{
return htmlentities($string, ENT_QUOTES | ENT_HTML5, 'UTF-8', true);
}
}
?>
========================================
At minimum, consider something like this and more as you do your research.
<?php
$esc = new Escaper();
$usercontent = $_GET['usercontent'];
mail("dummy#nowhere.tld", "My Subject", $esc->superHtmlEntities("My body with $usercontent included"));
?>
It is not secured against XSS atack because if your mail contains HTML someone can inject it into mail.
The good behaviour is to check and valid data which you expect to have. If I were you I would escape this string. It costs almoust nothing and you don't have to worry about consequences of not using it.
I'm using PHPMailer to send emails.
Now, we all know we need to always check user input.
But how about the subject and body of emails? (so i do not mean the emailadress)
What does need to be sanitized and how to do it? What are the (major) vulnerability's?
Should i'll use something like HTMLPurifier for this? Because i want the user to be able to markup there emails. Or should i'll use/write a BB-code function what can be used?
Update:
For mail body:
I now use htmlspecialchars with ent_quotes flag on. After this ill run a BB-code (jBBCode) parser over the message. This one looks safe now.
For subject:
I do not use any validation/sanitizing/etc. (exept min and max strlen) on the subject field.
Tested with some javascript but it looks like it's all okay.
Can i assume this is safe now? (P.s. the code does not get printed anywhere else than in the email.)
Yes, you need to clean user input before sending. HTMLPurifier and HTMLawed make a fair job of sanitising, but need to be tuned to not block out useful stuff - both err on the side of caution. BBCode or markdown do make things much easier to filter, so long as you don't need to do intricate layouts.
You can use
<?php
filter_var($body, FILTER_SANITIZE_FULL_SPECIAL_CHARS)
to help protect against special characters also you can use RAW such as
<?php
filter_var($body, FILTER_SANITIZE_RAW, FILTER_FLAG_ENCODE_HIGH)
Full details can be found here -> https://secure.php.net/manual/en/function.filter-var.php
I'm trying to create a block of PHP code within HTML such that when the user loads the page, it displays their IP address and time/date as the user in an email address.
I'm using apache on fedora21, and have enabled PHP (tested with phpinfo() function in the same HTML file).
Here is the code I'm trying to execute:
<? echo '<a href="mailto:'.$REMOTE_ADDR.'_'.date('y-m-j').'-#example.com" title="There is no spoon">For stupid spambots'; ?>
It just prints For stupid spambots'; ?> without printing the generated email address.
<? echo 'For stupid spambots'; ?>
Need to close <a href at first, and if you want to return IP its $_SERVER['REMOTE_ADDR'] not $REMOTE_ADDR except you define that variable before.
Judging from the fact that you can see closing ?>, I deduce that your PHP code doesn't run at all and is interpreted like regular HTML.
There might be several reasons why (badly configured Apache being one of them), but my prime suspect is that you have disabled short PHP tags. Try using <?php instead of <?.
You used the syntax of an html anchor wrong. Consider this:
<?php
$address = sprintf('%s_%s-#example.com', $_SERVER['REMOTE_ADDR'], date('y-m-j'));
echo sprintf('%3$s: %1$s',
$address,
'There is no spoon',
'For stupid spambots');
?>
You have to print the address into the visible text content of the anchor definition if you want it to be visible. You only but the "For stupid spambots" string in there which is what got displayed.
( Note that I just used the sprintf() calls to keep the lines short and readable. Obviously this also works with traditional string concatenation. )
I built a php script to output data posted in a form, but I ran into a problem. The server the website is going to run on, runs PHP 5.1.6. This version of PHP does not support filter_var.
I need to know an alternative on short term (preferably yesterday), and can't find something straight forward on Google or Stack Overflow.
Mayhap someone here ran into the same issue in the past and has a quick fix for me?
This code:
$email= filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);
$answer= filter_var($_POST['answer'], FILTER_SANITIZE_STRING);
needs to be compatible with PHP 5.1.6, so the email address is checked on genuinity, and that no malicious code is used in either fields. Any tips?
Thanks so much!
for Emails you can use a Regex: (for example: http://www.totallyphp.co.uk/validate-an-email-address-using-regular-expressions)
for strings you could also do regex, but that is a little bit too heavy, so maybe a combination of mysql_real_escape_string() if you send it to a DB, and for html you should use htmlentities():
http://de.php.net/manual/en/function.mysql-real-escape-string.php
http://www.php.net/manual/en/function.htmlentities.php
I don't think that the filter_var-function does far different than just using these methods
You can install the extension via PECL to PHP 5.1:
http://pecl.php.net/package/filter
i would use a regular expression generally. it provides you the most flexibility. on the internet are many useful resources about it. take a look here or here
Using the information I was given in the previous answers, here's how I fixed my problem:
<?PHP // Retreive POST data and sanitize it: trim string, no HTML, plain text
$variable1=htmlentities(trim($_POST['input1']), ENT_NOQUOTES);
$variable2=htmlentities(trim($_POST['input2']), ENT_NOQUOTES);
$emailaddress=$_POST['email']; // sanitizing email address happens below
if(eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*#[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $emailadres)){ // check email address and if legit, do this:
echo '<p>The e-mail address given is valid.</p>'
} else{ // if email is not legit, do this:
echo '<p>The e-mail address given is not valid.</p>';
}
?>
I hope this helps someone :)
I'm using PHP _EOL when building the message body of my email but the line feeds are not getting through and the entire message body ends up one long line in the resultant email. This happens regardless of Multi-part or html only messages. Sending as text only it works fine, but of course I want to send Multi-part messages.... Any ideas?
Uhm. If there are no line breaks in your HTML email, it's probably because neither a \n nor a \r\n is a newline in HTML; a <br /> tag is.
I've never even used PHP_EOL before, but I wonder if it is set to the type of your server, not of the recipient. I don't see how a constant could be correct for all recipients, that doesn't make sense.
Usually '\n' is all that is needed... in some cases you may need '\r\n' depending on the protocol involved. What are you using to send the email? What are you using to view the email?