Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Page 1 of 2 12 LastLast
Results 1 to 15 of 19
  1. #1
    New Coder
    Join Date
    Dec 2009
    Posts
    40
    Thanks
    4
    Thanked 0 Times in 0 Posts

    mail() from problem

    So I have a script that allows you to send text messages from online, and it works perfectly... Except for the fact that the from address defaults to the default (set by the server). Here is the script:

    PHP Code:
    <?php
    date_default_timezone_set
    ('EST');
    $prov stripslashes($_POST['prov']);
    $to stripslashes($_POST['num']);
    $message stripslashes($_POST['txt']);
    $from stripslashes($_POST['email']);
    if (
    $from == "") {
    $from "anon@y.mous.com";
    }
    $headers 'From: ' $from "\r\n"
     
    'Reply-to: ' $from;
    $subject stripslashes($_POST['name']);

    if (
    $message == "") {
    die(
    "Please fill out the required forms.");
    }
    if (
    $to == "") {
    die(
    "Please fill out the required forms.");
    }
    if (
    $prov == "") {
    die(
    "Please fill out the required forms.");
    }

    switch (
    $prov) {
        case 
    "Verizon":
            
    $to .= "@vtext.com";
            break;
        case 
    "ATT":
            
    $to .= "@txt.att.net";
            break;
        case 
    "Alltel":
            
    $to .= "@message.alltel.com";
            break;
        case 
    "TMobile";
            
    $to .= "@tmomail.net";
            break;
        case 
    "VirginMobile";
            
    $to .= "@vmobl.com";
            break;
        case 
    "Cingular";
            
    $to .= "@cingularme.com";
            break;
        case 
    "Sprint";
            
    $to .= "@messaging.sprintpcs.com";
            break;
        case 
    "Nextel";
            
    $to .= "@messaging.nextel.vom";
            break;
        case 
    "USCellular";
            
    $to .= "@email.uscc.net";
            break;
        case 
    "Suncom";
            
    $to .= "@tms.suncom.com";
            break;
        case 
    "Powertel";
            
    $to .= "@ptel.net";
            break;
        case 
    "MetroPCS";
            
    $to .= "@MyMetroPcs.com";
            break;
        default:
            echo 
    "Select a provider.";
            break;
    }
    $file "logs/index.php";
    $fh fopen($file'a') or die("can't open file");
    $string "\$to = $to<br>
    \$prov =  $prov<br>
    \$message = $message<br>
    \$from =  $from<br>
    \$headers = $headers<br>
    Date = " 
    date("F j, Y, g:i a") . "<br>
    IP Address = " 
    $_SERVER['REMOTE_ADDR'] . "<br>
    <br>"
    ;
    fwrite($fh$string);
    if (
    mail($to$subject$message$headers))
    {
    $string2 "Mail sent to $to!<br><br>";
    fwrite($fh$string2);
    echo 
    "Mail sent to " $to "!";
    }
    else
    {
    $string3 "Sorry Server Error.<br><br>";
    fwrite($fh$string3);
    echo 
    "Sorry Server Error.";
    }
    fclose ($fh);
    ?>
    I can't figure out why it won't work.
    Last edited by pippin418; 02-15-2010 at 05:36 AM.

  • #2
    Master Coder
    Join Date
    Jun 2003
    Location
    Cottage Grove, Minnesota
    Posts
    9,511
    Thanks
    8
    Thanked 1,090 Times in 1,081 Posts
    You didn't show us your form ...
    Are you sure that the user's email variable name is "email" and NOT "from"?

    $from = stripslashes($_POST['email']);

  • #3
    New Coder
    Join Date
    Dec 2009
    Posts
    40
    Thanks
    4
    Thanked 0 Times in 0 Posts
    Code:
    <html>
    <head>
    <link rel="shortcut icon" type="image/x-icon" href="favicon.ico">
    <title>txtNow!</title>
    <script language="javascript" type="text/javascript">
    function limitText(limitField, limitCount, limitNum) {
    	if (limitField.value.length > limitNum) {
    		limitField.value = limitField.value.substring(0, limitNum);
    	} else {
    		limitCount.value = limitNum - limitField.value.length;
    	}
    }
    </script>
    <style language="text/css">
    input {font-family:"Lucida Sans Unicode", "Lucida Grande", sans-serif;}
    textarea {font-family:"Lucida Sans Unicode", "Lucida Grande", sans-serif;}
    body {font-family:"Lucida Sans Unicode", "Lucida Grande", sans-serif; background-image:url('back.png'); background-repeat: no-repeat; background-position: center center;} 
    #prov {width: 150px;}
    #footer {position: fixed; width: 100%; top: auto; right: 0; bottom: 0; left: 0; font-size: 8px;}
    </style>
    </head>
    <body>
    <form method="post" action="txt.php">
    <div id="prov" style="float: right";>
    Select recipient service provider:*<br>
    <input type="radio" name="prov" value="Verizon"> Verizon<br>
    
    <input type="radio" name="prov" value="ATT"> AT&T<br>
    <input type="radio" name="prov" value="Alltel"> Alltel<br>
    <input type="radio" name="prov" value="TMobile"> T-Mobile<br>
    <input type="radio" name="prov" value="VirginMobile"> Virgin Mobile<br>
    <input type="radio" name="prov" value="Cingular"> Cingular<br>
    <input type="radio" name="prov" value="Sprint"> Sprint<br>
    
    <input type="radio" name="prov" value="Nextel"> Nextel<br>
    <input type="radio" name="prov" value="USCellular"> US Cellular<br>
    <input type="radio" name="prov" value="SunCom"> SunCom<br>
    <input type="radio" name="prov" value="Powertel"> Powertel<br>
    <input type="radio" name="prov" value="MetroPCS"> Metro PCS
    </div>
    Recipient number (10 digits):*<br><input type="text" name="num" size="10" maxlength="10"><br>
    
    Your email (if you want to recieve replies, defaults to 
    anon@y.mous.com):<br><input type="text" size="30" name="email"><br>
    Your name (will appear as subject):<br><input type="text" name="name"><br>
    Message (100 characters max):*<br>
    <textarea name="txt" onKeyDown="limitText(this.form.txt.form.countdown,100);" 
    onKeyUp="limitText(this.form.txt,this.form.countdown,100);">
    </textarea><br>
    <span style="font-size: 10px;">You have <input readonly type="text" name="countdown" size="3" value="100"> characters left.</span><br>
    <input type="submit" value="txtNow!">
    </form>
    <div id="footer">
    By clicking "txtNow!" you verify that you know all information you submit and your IP address will be logged for safety/security purposes, and that these can be used against you if you commit a crime using this service.
    </div>
    
    </body>
    </html>
    Positive. (The Your email part)
    Last edited by pippin418; 02-15-2010 at 11:28 PM.

  • #4
    Master Coder
    Join Date
    Jun 2003
    Location
    Cottage Grove, Minnesota
    Posts
    9,511
    Thanks
    8
    Thanked 1,090 Times in 1,081 Posts
    Try this ...

    change these lines:
    $from = stripslashes($_POST['email']);
    if ($from == "") {
    $from = "anon@y.mous.com";
    }


    To:
    $from = "anon@y.mous.com";
    if(isset($_POST['email'])){
    $from = stripslashes($_POST['email']);
    }

  • #5
    New Coder
    Join Date
    Dec 2009
    Posts
    40
    Thanks
    4
    Thanked 0 Times in 0 Posts
    No go. Still sets the email as:

    pippin@cp01.lond03.uk.ltt.net
    (pippin is my cP name/hosting name so that makes sense)

  • #6
    Master Coder
    Join Date
    Jun 2003
    Location
    Cottage Grove, Minnesota
    Posts
    9,511
    Thanks
    8
    Thanked 1,090 Times in 1,081 Posts
    The way I understand it ...

    1) if they enter an email address, the $from shows their email address.
    2) if they do not enter an email address (leave it blank), it makes $from the default.

    Is that correct?

    Try your form again, and enter johndoe@aol.com as your email.
    See if $from shows up as "johndoe@aol.com".

  • #7
    New Coder
    Join Date
    Dec 2009
    Posts
    40
    Thanks
    4
    Thanked 0 Times in 0 Posts
    Right and wrong. When they don't enter an email it defaults to anon@y.mous.com

    PHP Code:
    $from "anon@y.mous.com";
    if(isset(
    $_POST['email'])){
    $from stripslashes($_POST['email']);

    $to = XXXXXXXXXX@vtext.com
    $prov = Verizon
    $message = Test
    $from = johndoe@aol.com
    $headers = From: johndoe@aol.com Reply-to: johndoe@aol.com
    Date = February 16, 2010, 12:00 am
    IP Address = XX.XX.XX.XX

    Mail sent to XXXXXXXXXX@vtext.com!

    I copied that directly from my log file. (I obviously edited out my number and IP)

    So yup all checks out.
    Last edited by pippin418; 02-16-2010 at 05:07 AM.

  • #8
    Regular Coder
    Join Date
    Mar 2006
    Posts
    238
    Thanks
    3
    Thanked 37 Times in 37 Posts
    Just in case: Please notice that your script is not really secure. It could be attacked with Mail Injection attacks. $_POST['num'] and $_POST['email'] could be used directly for it. They must be validated with regular expressions to make sure they contain only 1 e-mail address and nothing else. Also $_POST['name'] must be validated not to contain any new line and carriage return characters since it goes into subject which is part of the mail headers. Also you could need some good CAPTCHA at your mail form. Or the attacker could simply call your mail script in a loop for many times sending 1 message at a time no matter you have validation or not.

    All this would lessen the possibility of the form abusing but would not exclude it at all. Still the attacker would be able to send an e-mail from any e-mail to any e-mail manually. Because both FROM: and TO: mail headers are formed by the POST variables.

    There are could be more security problems I have not noticed at the first glance.

    My point is: this script is better very seriously analyzed and secured before you use it at the production environment.

  • #9
    Master Coder
    Join Date
    Jun 2003
    Location
    Cottage Grove, Minnesota
    Posts
    9,511
    Thanks
    8
    Thanked 1,090 Times in 1,081 Posts
    Pippin, so it's working correctly?

    When you enter johndoe@aol.com it shows up?
    If you leave it blank, it switches to default?

  • #10
    New Coder
    Join Date
    Dec 2009
    Posts
    40
    Thanks
    4
    Thanked 0 Times in 0 Posts
    Nope, the from variable is johndoe@aol.com

    But it still goes to the server default...

  • #11
    Master Coder
    Join Date
    Jun 2003
    Location
    Cottage Grove, Minnesota
    Posts
    9,511
    Thanks
    8
    Thanked 1,090 Times in 1,081 Posts
    Here's a quote from post #1:
    "Except for the fact that the from address defaults to the default "

    But now you're talking about the to address .... ???

    What the heck does this, $from = "anon@y.mous.com";
    have to do with who the email is sent to?

  • #12
    New Coder
    Join Date
    Dec 2009
    Posts
    40
    Thanks
    4
    Thanked 0 Times in 0 Posts
    Where did I say to? The from address is the problem

    "Nope, the from variable is johndoe@aol.com"

  • #13
    Master Coder
    Join Date
    Jun 2003
    Location
    Cottage Grove, Minnesota
    Posts
    9,511
    Thanks
    8
    Thanked 1,090 Times in 1,081 Posts
    So I'm referring to this line in your form ....
    Your email (if you want to recieve replies, defaults to anon@y.mous.com):<br><input type="text" size="30" name="email"><br>

    If a person types "billsmith@aol.com" into that text box, the $from variable will be "billsmith@aol.com".

    If a person leaves the text box BLANK, the $from variable will be "anon@y.mous.com".

    Post #7 ... quote: "So yup all checks out."
    Post #10 .... quote" "Nope, the from variable is johndoe@aol.com ... But it still goes to the server default... "

    Is it a "yup" or a "nope"?


    .
    Last edited by mlseim; 02-17-2010 at 03:27 AM.

  • #14
    New Coder
    Join Date
    Aug 2003
    Location
    Derby, UK
    Posts
    97
    Thanks
    0
    Thanked 14 Times in 14 Posts
    Depending on the server set-up you may not be able to set the from address or you may be able to but only by using a command line parameter. Check the php manual for mail and you will see:

    The additional_parameters parameter can be used to pass additional flags as command line options to the program configured to be used when sending mail, as defined by the sendmail_path configuration setting. For example, this can be used to set the envelope sender address when using sendmail with the -f sendmail option.
    so try adding an extra fifth parameter to the mail call with '-f '.$from.

    Note however that:
    • The server may (should?) not be happy sending emails claiming to be from a domain it does not control so it may refuse
    • Allowing the client to specify the from address, to address and message content is an invitation to spammers, basically you have just created a method for them to send thousands of their spams all around the world using your server (or your host's servers). This will get the server blacklisted and more than likely get you thrown off your hosting.
    • Even if you only allow to address to come from the client you need to sanitise it very carefully to avoid email header injection (especially be careful of CRLF), otherwise again you have created a lovely spam tool
      .


    Sorry to be a doom and gloom merchant, but email forms are a prime attack vector and spammers are just waiting for a script like this to make their day.

  • #15
    New Coder
    Join Date
    Dec 2009
    Posts
    40
    Thanks
    4
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by mlseim View Post
    So I'm referring to this line in your form ....
    Your email (if you want to recieve replies, defaults to anon@y.mous.com):<br><input type="text" size="30" name="email"><br>

    If a person types "billsmith@aol.com" into that text box, the $from variable will be "billsmith@aol.com".

    If a person leaves the text box BLANK, the $from variable will be "anon@y.mous.com".

    Post #7 ... quote: "So yup all checks out."
    Post #10 .... quote" "Nope, the from variable is johndoe@aol.com ... But it still goes to the server default... "

    Is it a "yup" or a "nope"?


    .
    I was talking about the from variable is what you entered in the email form for "yup".

    You're right about:
    If a person types "billsmith@aol.com" into that text box, the $from variable will be "billsmith@aol.com".

    If a person leaves the text box BLANK, the $from variable will be "anon@y.mous.com".


  •  
    Page 1 of 2 12 LastLast

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •