Page 1 of 1

Mail form contents to an email address

Posted: Wed Apr 19, 2006 5:27 pm
by m0u53m4t
I have a form like this:

Code: Select all

<form action="" method="get">
<input type="text" name="Name" size="24"><input type="text" name="rating" size="24"><input type="submit" name="submitButtonName">
</form>
Can anyone here base out (or complete if possible!) a script that would send the data from the form to my email address?

Posted: Wed Apr 19, 2006 6:01 pm
by LiveFree

Code: Select all

if (isset($_GET['submitButtonName'])){

$name=$_GET['Name'];
$rating=$_GET['rating'];
$email= ''; // add your email here

$body=<<<BODY
Hello,

$name has submitted a rating of $rating at your site 
BODY;

mail ($email, 'You Have Mail!', $body);

Mail Spammed

Posted: Thu Apr 20, 2006 12:59 am
by muthulingamj
feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]


I used the following code to my site and it was hacked by somebody and was sending 1000s of email.

[syntax="php"]$name="firstname";
$email="user email";
$header="From:$name<$email>\n"; 
$header .= "Reply-To: $email\n"; 
$header .= "X-Mailer: PHP/" . phpversion(). "\n";           
$header .= "X-Sender-IP: $REMOTE_ADDR\n"; 
$msg="Message here";
$subject="Subject Here"; 
mail('support@host.com',$subject,$msg,$header);


What would be the vulnerability of this code. Please help me


feyd | Please use[/syntax]

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]

Posted: Thu Apr 20, 2006 2:32 am
by andym01480
feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]


The vulnerability is in any of the users entered input. Basically anyone can add headers by using \r\n. Each header in an email is separated by \r\n or %0A so if they enter an email address, followed by \r\n they add more bcc: cc: addresses and their spam message gets sent piggy back style.

There are a number of ways to protect yourself....

One is to limit the length of the email field to a reasonable length.

More important is a ereg to check for valid email address. [url]http://www.ilovejackdaniels.com/php/email-address-validation/[/url] shows how excellently. His solution is good. Others on google are out of date as domains evolve like.eu, .info etc

And you can do a str_replace to get rid of unwanted nasties like \r\n, bcc:, cc: etc. I also use the code below to clear rude words from messages people enter.... It replaces naughty bits with a #
All input should be filtered, that could end up as part of a mail() call.

Code: Select all

$naughtybits=array('\\','+',';','\n','\r','%0A','Content-Type:','MIME-Version:','Content-Transfer-Encoding:','bcc:','cc:','rude words etc');
$email=str_replace($naughtybits,'#',$email);
Hope that helps


feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]

Posted: Thu Apr 20, 2006 8:49 am
by m0u53m4t
I uploaded it here : http://juniorfiles.t35.com/mail.html

With the html:

Code: Select all

<form action="mail.php" method="get">
<input type="text" name="Name" size="24"><input type="text" name="rating" size="24"><input type="submit" name="submitButtonName">
</form>
and the php:

Code: Select all

<?php 
if (isset($_GET['submitButtonName'])){

$name=$_GET['Name'];
$rating=$_GET['rating'];
$email= 'junk4owen@hotmail.com'; // add your email here

$body=<<<BODY
Hello,

$name has submitted a rating of $rating at your site
BODY;

mail ($email, 'You Have Mail!', $body);
echo "email sent to $email with contents: $body";
}
?>
(i had to add a missing } and an echo) and when I run it, i dont get an error, just the echo, but no email.

Posted: Thu Apr 20, 2006 11:23 am
by feyd
"I Love JD"'s email address regex isn't standards compliant. This one is.
Roja wrote:Thats why I generally link to the ValidateEmail function.
As for avoiding injection, we've had a discussion on it: viewtopic.php?t=44097