Closed Thread Icon

Topic awaiting preservation: Email in PHP Pages that link to <a href="https://ozoneasylum.com/backlink?for=28047" title="Pages that link to Topic awaiting preservation: Email in PHP" rel="nofollow" >Topic awaiting preservation: Email in PHP\

 
Author Thread
spramod
Nervous Wreck (II) Inmate

From:
Insane since: Sep 2005

posted posted 06-08-2006 10:36

I have created a simple form to be sent via email in PHP>
i have previously done the same stuff and worked perfect. But now i m trying make another form work in vain!


_____________________ FORM1--__________________________


<form name="form1" method="post" action="submit1.php">

<table width=100% border="0" align="center" cellpadding="0" cellspacing="0" bgcolor="#BACDFA">
<tr valign="top">
<td height="20" width="356" bgcolor="#BACDFA"><div align="center" class="a11g style32">
<div align="left">Contact Name:</div>
</div></td>
<td width="339" bgcolor="#BACDFA"><div align="center" class="a11g style32">
<div align="left">Telephone:</div>
</div></td>
<tr valign="top">
<td width="356" bgcolor="#BACDFA"><font size="2" color="#4f4f4f" face="Arial">
<input name="name" value="" size=300 style="height:20; width:186; color: #1830B0; background:#ffffff ; border-style: solid; border-width: 1px; border-color: #3366CC;">
</font></td>
<td width="339" bgcolor="#BACDFA"><font size="2" color="#4f4f4f" face="Arial">
<input name="tel" value="" size=300 style="height:20; width:186; color: #1830B0; background: #ffffff; border-style: solid; border-width: 1px; border-color: #3366CC;">
</font></td>
</tr>

<tr>
<td class="a11g style32">E-Mail Address:</td>
<td><input name="email" type="text" class="formbox" value="" id="email" style="width:250px;"></td>
</tr>
<tr>
<td height="31" align="center"><div align="center">
<input name="Submit" type="image" id="Submit" src="images/send.jpg" width="59" height="20" border="0">

</div></td>
<td width="1%" align="center">&nbsp;</td>
</tr>
</table>
</form>



-------------------------------------------
submit1.PHP
------------------------



<?php include("connection.php");



$msg.="Name :\t$HTTP_POST_VARS[name]<br>";
$msg.="Telephone :\t$HTTP_POST_VARS[tel]<br>";
$msg.="Email :\t$HTTP_POST_VARS[email]<br>";


$to="trial@company.co.uk";
$subject= "Online Form" .$HTTP_POST_VARS['email'];
$headers.= "Reply-To: ".$HTTP_POST_VARS['email'];
$headers.="MIME-Version: 1.0\r\n";
$headers.="Content-type: text/html; charset=iso-8859-1\r\n";
$headers.="From:".$HTTP_POST_VARS['email'];


mail($to,$subject,$msg,$headers);
?>
------

THE PROBLEM IS:
the form works well, but i don t seem to receive the email once the form is submitted.
if i send a mail from hotmail to the email account i receive it.
but through this form i am not receiving any emails.
can anybody help??

Thanks a ton..

S

DL-44
Lunatic (VI) Inmate

From: under the bed
Insane since: Feb 2000

posted posted 06-08-2006 15:28

Before anything else, throw a test page up which, rather than attempting to send an email, simply spits out the variables you are using. Make sure your data is actually making it through.

Once you've done that, come on back.

Tyberius Prime
Maniac (V) Mad Scientist with Finglongers

From: Germany
Insane since: Sep 2001

posted posted 06-08-2006 15:40

Whatever your testing brings: Don't use this form as it is.

It is easily affected by an attack, namely 'newline/header' injection.

See, if I put "myemail@somewhere.com\r\nCC: anotherEmail@somewhere.com\r\n\r\nThis is the real Spam."
in $_POST['email'] (you should really be using $_POST. $HTTP_POST_VARS is deprecated),
boom, instant open relay on your webserver. (\r\n\r\n seperates your mail header from your mailbody.)

You really really need to verify any incoming data, and in this case, not only make sure it's set, also make sure it does not contain linebreaks of any kind (just checking for \r\n won't be enough. Some mailservers will also accept just \n there).

So long,
->Tyberius Prime

spramod
Nervous Wreck (II) Inmate

From:
Insane since: Sep 2005

posted posted 06-08-2006 15:58

Thanks Tyberius Prime & DL-44,

Tyberius Prime, can you please provide me the code for the part you have explained,
if possible for the part of the code i have written,,
i m not tooo clear on that.

Please help me i m so stuck with this, and i need to get this going at the earliest..

Thanks a lot..

S

Tyberius Prime
Maniac (V) Mad Scientist with Finglongers

From: Germany
Insane since: Sep 2001

posted posted 06-08-2006 17:09

Honestly - you ned to read up on this instead of just patching something together.

At the very least, you'll need a piece of code like this:

code:
if ( strpos ( $HTTP_POST_VARS['email'], "\r") !== false ) || 
( strpos ( $HTTP_POST_VARS['email'], "\n") !== false ) || 
  die ( "Header injection")



But don't take my word on it - make sure you understand both the problem, and it's solution!

bitdamaged
Maniac (V) Mad Scientist

From: 100101010011 <-- right about here
Insane since: Mar 2000

posted posted 06-08-2006 17:14

Check out this bit on Email Injection

It has the basic problems and solutions to email injection attacks.

DL-44
Lunatic (VI) Inmate

From: under the bed
Insane since: Feb 2000

posted posted 06-08-2006 18:05

Take a look at this thread as well - http://www.ozoneasylum.com/27650

« BackwardsOnwards »

Show Forum Drop Down Menu