email with php - please help 1

[736xl]

I would greatly appreciate some help. I am using php into my flash page to send email. the code is:

<?
$subject="from".$_GET['your_name'];
$headers= "From:".$_GET['your_email']."\n";
$headers.='Content-type: text/html; charset=iso-8859-1';
mail($_GET['ssphoenix@comcast.net'], $subject, );
<html>
<head>
<title>Contact letter</title>
</head>
<body>

<br>
".$_GET['message']."
</body>
</html>" , $headers);
echo ("Your message was successfully sent!");
?>
<script>
resizeTo(300, 300)
//window.close()
</script>


it doesn't work and not sure why. but one issue i see is in the address browser (when I press the submit button), the code contains %30 and %40 characters between the information that suppose to show. i.e.

http://websitetest.com/contact.php ?server_option=php &recipient=myemail@mydomain.com%

I would greatly appreciate if anyone can help.

thanks in advance.

 

[sleipnir214]

%20 is used in place of a space character, as spaces are not allowed in URLs. %40 represents an @-character.



This line:

mail($_GET['ssphoenix@comcast.net'], $subject, );

is troublesome on several points. First, go you have an element of the superglobal $_GET array with the index "ssphoenix@comcast.net"? It seems unlikely. It seems more likely that "ssphoenix@comcast.net" is a string literal that is the recipient of the emails. So that part of the line would be written:

mail('ssphoenix@comcast.net', $subject, );

second, that last comma would indicate that more parameters to the mail() function are forthcoming. If not, make the function call:

mail('ssphoenix@comcast.net', $subject);


Then here's this line:

</html>" , $headers);

Which appears to continue the earlier mail() invocation. But there seem to be missing quotes somewhere.


Next, I see an "<?" (which is better to be "<?php"), but I do not see any matching "?>". There is no way would this script run. You should be getting error messages.


Lastly, this script represents a massive security hole on your system. A spammer, should he find this script on a public web server, could easily use the script to send lots of emails through your server.

Want the best answers? Ask the best questions!

TANSTAAFL!!

 

[736xl]

sleipnir214


Very much thanks for your help. I haven't tried your pointers yet. sorry about the missing items as I do have them on my original code. Just plaied with them so much that I didn't realize they were there.

I do have one questions about security. this code is in quite a few places and seems to be comune. the other part of the flash code is limited to only a few kbs of data by not using _POST options. Unless my website host has such a public place, I don't see how a code like this would be relevent.

Again, greatly appreicate your help.


Thanks

 

[sleipnir214]

I don't understand your question.

Want the best answers? Ask the best questions!

TANSTAAFL!!

 

[736xl]

How this code presents serious security hole?

Thanks again.

 

[KarveR]

This script would be able to be called by anyone from anywhere using the GET method - eg a page link to

http://your_site.com/mail.php?mailto=someone@somewhere&subject=stuff

....

If you use a form and POST method, the external inkage can't be done as easily.

if you use a fomr and POST method and check the refering page to ensure its your form, things will be a bit more secure.

______________________________________________________________________
There's no present like the time, they say. - Henry's Cat.

 

[736xl]

sleipnir214

I got the change to try your advice. I think the $headers);
you've mentioned doesn't have anything missing. I think the code after mail(_GET... goes all the way to $hearders);

However, I tried it and still not successful. I really don't now why. Do I need to compile this code? is there any debug utility I could use?

Again, thanks for your help. I am about to switch to something else.

Thanks

 

[sleipnir214]

PHP is an interpreted language. There are family of compilers which treat PHP code as something akin to server-side Java code, but they are not necessary.

There are developer environments for PHP, some of which may give you debugging tools, but I am not familiar with them. Under a default configuration, you should be getting error messages from the interpreter. Since you are reporting no errors, it may be that your PHP installation has error reporting turned off. In php.ini, check the settings for display_errors (you'll need it set to "on") and error_reporting (try "E_ALL" for this one).

Remember, if you change a php.ini setting, you will likely have to restart your web browser for PHP to pick up the changed settings.



Want the best answers? Ask the best questions!

TANSTAAFL!!