Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

PHP email script


  • Please log in to reply

#1
amunra

amunra

    Member

  • Member
  • PipPipPip
  • 112 posts
In order to use this script your host MUST have an email server installed. If you are hosting it you must have a email server installed. If you do not have one go to google.com and do a search for free email servers. I am currently using CMailServer trial which only allows 5 email addresses. In lesson you will learn how to create a php feedback script that will email the indicated email address using the users email address and message. First you need to open notepad and enter the following code:
<form method="post" action="sendmail.php">
Email: <input name="email" type="text" /><br />
Message:<br />
<textarea name="message" rows="15" cols="40">
</textarea><br />
<input type="submit" />
</form>
Save it as feedback.html
open a clean window of notepad and enter the following code
<?
$email = $_REQUEST['email'];
$message = $_REQUEST['message'];

mail( "email address", "subject text",
$message, "From: $email" );
header( "Location:url" );
?>
Save this as sendmail.php.
Now lets break the code down starting with feedback.php.
<form method="post" action="sendmail.php">
This tells the browser that it will pin the user submited contents of this form to sendmail.php
Email: ,<input name="email" type="text" /><br />

This is the code for a text input box called email. The same goes for
Message:<br />
<textarea name="message" rows="15" cols="40"></textarea>

<input type="submit" />
This tells the browser to run the script and send the contents to sendmail.php.
Now onto sendmail.php
$email = $_REQUEST['email'];
$message = $_REQUEST['message'];
This is where the email address and message are sent and stored temperarly. the text inside ['text'] is the field name in feedback.html
mail("email address", "subject text",
the word mail at the begining tells the server to send the form results to email address with the subject subject text. You will want to change these to your own.
$message, "From: $email" );
this part of the code tells the php server what to include in the email. The $ message will make the server look at this line of code and include it in the body of the message:
$message = $_REQUEST['message'];
the "From: $email" tells the server to include this line of code in the from section:
$message = $_REQUEST['email'];
Then the code below tells the browser to send the client to another website like a thank you page or something.
header("Location:url" );
you will want to change the url to the location of your thank you page or what ever you want. If you want to learn more about php url redirects visit my other post here. That topic is on how to create a url redirect page that used a command from the address bar to determin where to send you.

Any feedback on this lesson is welcome. Please let me know.
  • 0

Advertisements


#2
Leroy Lim

Leroy Lim

    Member

  • Member
  • PipPip
  • 29 posts
Lol, you do not need smtp server locally available, you can use your isp mail server too if you make the changes to the php.ini file in the C:\WINDOWS directory or where u put phpl.ini i dp not know where in linux, if you have access to the server
  • 0

#3
GameMakerThomas

GameMakerThomas

    Member

  • Member
  • PipPip
  • 42 posts
You can mail multiple recipents by delimiting with the comma.
E.G. "foo@bar.com,thomas@roxrs.com,po@ta.to" would mail to all three emails.

-Thomas
  • 0

#4
brendandonhue

brendandonhue

    Member

  • Member
  • PipPipPip
  • 180 posts
I would not recommend using that script on a live server. Its insecure and could be used to send spam through your site.

Edited by brendandonhue, 12 January 2006 - 03:31 PM.

  • 0

#5
ScHwErV

ScHwErV

    Member 5k

  • Retired Staff
  • 21,285 posts
  • MVP
I have been using a mail script very similar to this for the last 3-5 years and have had absolutely no problems with spam. I have used it on multiple domains, all with minor changes.

If this is unsecure, please feel free to write a tutorial on the secure way to do it.

@amunra - Thank you for posting this.

ScHwErV :tazz:
  • 0

#6
brendandonhue

brendandonhue

    Member

  • Member
  • PipPipPip
  • 180 posts
I'm glad you haven't had problems with it, but the script is still vulnerable.
The problem is letting the user insert headers into the email. One could set CC or BCC headers and mass mail recipients besides the one intended. This junk mail would be sent from your mail server, and I'm sure you don't want your webhost to end up on spam blacklists.
webdevfaqs.com has a nice form to mail script.

Edited by brendandonhue, 14 January 2006 - 03:18 PM.

  • 0

#7
amunra

amunra

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 112 posts
This is my third script and I want to get down the basic idea of php before I get into securing them. After all it is only a simple script and you can change it any way you want.
  • 0

#8
brendandonhue

brendandonhue

    Member

  • Member
  • PipPipPip
  • 180 posts
Ok, I hope you aren't running it on a live site.
  • 0

#9
ScHwErV

ScHwErV

    Member 5k

  • Retired Staff
  • 21,285 posts
  • MVP

Ok, I hope you aren't running it on a live site.


Wow, that was awful helpful.

The problem is letting the user insert headers into the email.


:) The header is set by the scripter, not by the user. I think you misunderstood the script.
header("Location:url" );
This is for redirects, not to post a header into the email.

ScHwErV :tazz:
  • 0

#10
brendandonhue

brendandonhue

    Member

  • Member
  • PipPipPip
  • 180 posts
I didn't misunderstand the script, I'm talking about the email headers as a parameter to the mail() command. The user can insert any header into the email- To, Subject, Cc, Bcc, etc. I have tested this script and it can be used to send any number of emails to any number of recipients. I can post an example of it if you'd like (or PM it as posting an "exploit" isn't such a great idea.) I'm not being a jerk here...simply explaining that running this script basically turns your form into an open relay. The poster asked for feedback and I thought that would be a helpful thing for him to know.

Edited by brendandonhue, 15 January 2006 - 05:25 PM.

  • 0

Advertisements


#11
Magosis

Magosis

    Retired Staff

  • Retired Staff
  • 190 posts
Ok, I could be missing the point in the script but as php does not redenr outside of the host server, at what point could the usr insert modifications to the e-mail header? I'm no seeing anything and to my knowledge if the header parameter is left blank in the mail(); it uses the defaul header of the outgoing mail server.
  • 0

#12
admin

admin

    Founder Geek

  • Administrator
  • 24,501 posts
brendandonhue this is a forum, so please go ahead and post your exploit. If it's deemed valid we'll remove this tutorial, and/or fix it. We also reserve the right to delete your post if it may pose a security risk to other sites.
  • 0

#13
brendandonhue

brendandonhue

    Member

  • Member
  • PipPipPip
  • 180 posts
Ok, so you've got this script at http://mysite.com/sendmail.php
Enter this in your browser's address bar, and there you go
http://www.mysite.com/sendmail.php?email=sender@hotmail.com%0aTo:%20recipient@gmail.com&message=Exploited

That inserts a To: header, adding another recipient to the email.
  • 0

#14
Magosis

Magosis

    Retired Staff

  • Retired Staff
  • 190 posts
But he is using a post method not a get method for the form. ok i see because he is using the $_REQUEST tage is the issue try using $_POST

Edited by Magosis, 16 January 2006 - 05:07 PM.

  • 0

#15
brendandonhue

brendandonhue

    Member

  • Member
  • PipPipPip
  • 180 posts

But he is using a post method not a get method for the form

It doesn't make any difference what method the form uses. The script accepts both GET and POST data, it only uses the $_REQUEST superglobal.

Edited by brendandonhue, 16 January 2006 - 05:11 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP