Adding to this

[Wulfgen]

I've been fiddling about with this script to get it to add the email post variable to a flatfile which works well (I need to grab all the entered email names for a newsletter... (there is a single field in a form for the user to fill in their email address)
however, I've been trying to have it send an email notice to the admin (me)@myaddress to notify me whenever anybody fills in the field -

and I've tried this but... any ideas on where I'm going wrong

//Modified this to my email address
$sendto='me@myaddress.com';

//Modified this for displaying the subject in the mail
$subject="Subscription Notice";

//Modified this for displaying the info in the mail
mail($sendto,$subject,$message,"From: <$email>");

<?php 
//get email value from POST variable
$email = trim($_POST['email']);
//add a new line for Each email address
$email .="\n"; 
//initialize the variable
$fileName = "subscribe.txt";
//open files
if (is_writable($fileName)) {
	if(!$fp = fopen($fileName,"a")){
		echo "status=Can't open the file name $fileName";
		exit;
	}
	if (fwrite($fp,$email) === FALSE) {
		echo "status=Can't write to $fileName";
		exit;
	}
	echo "status=ok";
	fclose($fp);
} else {
	echo "status=The file $fileName is not writable";
}
?>

 

[jpadie]

try this instead:

mail($sendto,$subject,$message,"From: ". rtrim($email ."\r\n");

i.e. get rid of the angle braces

 

[Wulfgen]

tried it but it creates error - doesnt write to the database file ($fileName = "subscribe.txt" for some reason

tried this though - mail($sendto,$subject,$message,"This is from:......$email""); - and it sends the email wih the email in the body of the email but, the $subject="Subscription Notice"; doesnt work...grrrr

 

[Wulfgen]

kinda figured it: I used this

mail($sendto,$subject,$message,"From: <$email>\r  This is from:......\n  $email\n_______________________________________\n\n+ + + + + + + + + + + + + + + + + + + +");

it works the mail comes thru with the email subject "Newsletter Subscription" and the email name in the email address from whom sent it but in the body I get an extra ">" -- as you can see here:
>
This is from:......
wert@sdffsgn.com

_______________________________________

+ + + + + + + + + + + + + + + + + + + +


strange how I get the ">" at the beginning of the email text -- how would I get rid of that?

 

[jpadie]

I have no idea where you ended up. i'm amazed that the header worked with your MTA as the variable $email contains new line characters according to your code. This will break most MTA's sfaik. and i'm also amazed that your MTA will take part of the message in the header.

Whilst this is not impossible you are not providing any content types or similar which (i had thought) most MTA's would spit out as illegal.

The change that I suggested above does not have any effect at all on the fwrite() function so if you are getting an error, look elsewhere in the code for its source.

lastly, be aware that including user input in a header leads to a potential security hole unless you are religiously cleansing the data first. This is more than a "trim". you need to make sure that no characters that might create multiple headers or multiple addresses are present. if you don't feel up to this, then i'd recommend using phpmailer.

 

[Wulfgen]

You're right - but at the moment I'm testing to make sure its working and by putting the user in the header is just to let me know its working right - I'll remove it later on the final version

As far as the other part goes - all the flash file has in it, is the input text field which using (post) send the info to this php file

 

[jpadie]

flash file? anyway, it appears that you are using the email field as a header. imagine that i entered this in the field

Justin.Adie@example.com\r\nBcc: spurious@example.com, naughty@example.com\r\nContent-Type: text/html; \r\n\r\n\r\nMessage: this is an email injection attack\r\n

if you do not have some cleansing of data going on, then imagine what your header will look like now!

 

[Wulfgen]

Yep!
it gathers all that and places it into the header as well as the body of the email - taking out the email in the header produces this (Apache <apache@web1.myhostservice.com> with just the word Apache in the email list

Is there a way to hard encode a header string to this so it will read as:

(header) Submission Notification (the first line)
then uses the $subject="Subscribe me to Healthy Pet"; (the second line)

then I can add all the /n/r parts to the message

 

[jpadie]

the header of the message is what the MTA uses to route the message and communicate with smtp servers. it should not be used (imo) for the message parts itself.

so i would hardcode the header with just the From: header and include everything else in the message.

even then, in the from bit, make sure that the value you insert is secure. ie. send it from yourself and put the actual sender's mail address in the mail body

$me = "me@example.com";
mail($me, "Submission Notification", '

Subscribe me to a healthy pet

A submission notification request was received at '.date ("Y-m-d h:i:s") . ' from ' . trim($_POST['email'], "From: $me\r\n\r\n);