Page 1 of 1

Mailing problem

Posted: Fri May 12, 2006 6:26 am
by Longlands
I'm trying to capture a visitor's name and email address to be sent on to my autoresponder (normally this would be don with the autoresponder form, but I need to go to a php script first to do sme other things).

The html form captures the information in 'name' and 'email' and passes them to a php script via POST.

Here is the code I've used in the php script:

Code: Select all

<?php
$name = $_REQUEST['name'];
if ($name=="") {$name="Friend";};
$email = $_REQUEST['email'];

$to = 'tracker@accountname.emailaces.com'; // the autoresponder signup by email address.
$subject = 'Subscribe';
$headers = "From: $name <$email>\n" .
       "MIME-Version: 1.0\r\n" .
       "Content-Type: text/html; charset=utf-8\r\n" .
       "Content-Transfer-Encoding: 8bit\r\n\r\n";

mail($to, $subject, $headers);
?>

An email is being sent to the autoresponder, but the username is logged as 'Nobody' and the email address is nobody@buffalo. etc (my server's root address, I guess).

Something isn't right! Can anyone tell me what?

Thanks.

Martin

Posted: Fri May 12, 2006 6:33 am
by $phpNut
Try using $_POST instead of $_REQUEST ...

Posted: Fri May 12, 2006 6:55 am
by Longlands
I should have been clearer - the name and email variables are making it through to the php script okay - I've echo'd them and they are there. The problem seems to be that they are not being passed through to my autoresponder via the mail() function properly. I'm thinking that I've just written the $headers part wrong, but that is just a guess.

Martin

Posted: Fri May 12, 2006 7:07 am
by $phpNut
ok from what i gather from php.net

Code: Select all

bool mail ( string to, string subject, string message [, string additional_headers [, string additional_parameters]] )
you have

Code: Select all

mail($to, $subject, $headers);
your missing the content or sting message ...

so:

Code: Select all

mail($to, $subject, $content_b4_headers, $headers);
any help? I won't lie I've never used this function before :)

Posted: Fri May 12, 2006 7:27 am
by Chris Corbyn
Also, try changing Content-Transfer-Encoding to 7bit instead of 8bit.

Posted: Fri May 12, 2006 7:44 am
by Longlands
Thanks guys, it works now!

Martin

Posted: Fri May 12, 2006 10:48 am
by timvw
Actually, there is still a serious problem: You don't validate user input...

What if the submitted name has newlines in it? Are you aware of the effects on the mail function?
If you're wondering what i'm talking about: detailed information.

Posted: Fri May 12, 2006 12:12 pm
by Longlands
Hi timvw,

The script I showed was just a proof of concept, so no error checking had been included. That was to be my next task!

However, I wasn't aware of the particular exploit that you pointed out, so I'm very grateful for your input and the link you provided.

Thanks,

Martin.

Posted: Fri May 12, 2006 1:06 pm
by timvw
Glad to help :)

(There are just way too many people that simply copy-paste code samples.. I see it as an extra motivation to make sure they don't copy-paste flawed code ;))