| abstract |  |
Although PHP has built in function mail() to send email, it's quite insecure and use nonobvious arguments.
Here is the example of easy-to-use and reliable mail function.
| compatible | |
ae_send_mail (below) can send mail when called with just four arguments: from, to, subject, text To avoid email injection (using malformed parameters to send spam through mail()) removing of special characters is used.
<?php
function ae_send_mail($from, $to, $subject, $text, $headers="")
{
if (strtolower(substr(PHP_OS, 0, 3)) === 'win')
$mail_sep = "\r\n";
else
$mail_sep = "\n";
function _rsc($s)
{
$s = str_replace("\n", '', $s);
$s = str_replace("\r", '', $s);
return $s;
}
$h = '';
if (is_array($headers))
{
foreach($headers as $k=>$v)
$h = _rsc($k).': '._rsc($v).$mail_sep;
if ($h != '') {
$h = substr($h, 0, strlen($h) - strlen($mail_sep));
$h = $mail_sep.$h;
}
}
$from = _rsc($from);
$to = _rsc($to);
$subject = _rsc($subject);
mail($to, $subject, $text, 'From: '.$from.$h);
}
?> Besides $from, $to, $subject, $text there is optional $headers argument, in associative array format, like:
array( "Header1" => "value", "Header2" => "value" )
Header names and values are also checked for injection.
Here is a page-example of using ae_send_mail function. It may be used on 'contact'-page, to mail web form data to site administrator.
To run this example, you need to copy-paste it contents to and empty PHP file and set $site_admin variable to your(site administrator) mail.
<?php $site_admin = 'your@email.adress';
// function ae_send_mail (see code above) is pasted here
if (($_SERVER['REQUEST_METHOD'] == 'POST') &&
isset($_POST['subject']) && isset($_POST['text']) &&
isset($_POST['from1']) && isset($_POST['from2']))
{
$from = $_POST['from1'].' <'.$_POST['from2'].'>';
// nice RFC 2822 From field
ae_send_mail($from, $site_admin, $_POST['subject'], $_POST['text'],
array('X-Mailer'=>'PHP script at '.$_SERVER['HTTP_HOST']));
$mail_send = true;
}
?>
<html><head><title>Send us mail</title>
</head><body>
<?php
if (isset($mail_send)) {
echo '<h1>Form has been sent, thank you</h1>';
}
else {
?>
<form action="<?php echo $_SERVER['REQUEST_URI']; ?>" method="post">
Your Name: <input type="text" name="from1" size="30" /><br />
Your Email: <input type="text" name="from2" size="30" /><br />
Subject: <input type="text" name="subject" size="30" /><br />
Text: <br />
<textarea rows="5" cols="40" name="text"></textarea>
<input type="submit" value="send" />
</form>
<?php } ?>
</body></html> | warning | |
- as ae_send_mail function uses internal PHP mail() function, it has the same mail transport
configuration issues as original php mail()
| tested by AnyExample.com
on 2006-07-30 | |
- FreeBSD 5.2 :: PHP 5.1.4 :: Postfix 2.3
| |
|
