| |||||||
PHP mail function - Header security? Hey everyone, I'm messing around with the php mail function and I noticed that when you look at the properties of the message that was sent there are headers with a ton of information. Some of this information shows my cpanel login and server info. I use Hostgator hosting. Should I be concerned with this or is this pretty normal? I've been doing some research on using something else to send e-mails but I don't yet understand these of if they are neccessary. As always, thanks for the help! pc |
You can set your own headers: http://us3.php.net/manual/en/function.mail.php |
I've tried messing around with changing the headers previously but the information is still there - mostly in the 'Received' portions of the message. Maybe i'm missing something but here's what i've been playing with so far... $to = 'whoever@xyznet'; $subject = 'the subject'; $message = 'test'; $headers = 'From: contact@xyznet' . 'Received: contact@xyznet' . 'Reply-To: contact@xyznet' . "\r\n"; mail($to, $subject, $message, $headers, "-fcontact@xyznet"); What do you think? Thanks! pc |
No matter what you use - depending on the server - different kinds of information are added by default, and you can't change those values. "Received by...", ip address, etc. Most hosts will also add a patch to PHP to where it includes the script that sends the email. |
I'm not following the last part of this. A host can add a patch to PHP to where it will include the script that sent the e-mail. Does this mean that the script code is somewhere that people can see? I must be overlooking something as this doesn't make sense. Thanks again for the help! pc |
I assume you mean you don't get this >> What SV is saying is that to help host know where your PHP file is if you are sending out spam (ie: by reading this line, if someone forwards email to host reporting it as spam), they set it to include the following header for example: X-PHP-Script: www.yourdomain.com/yourfolder/emailer.php for 209.255.255.255 *** Above is domain...some server admins set it up to show path instead: /home/username/yourfolder/emailer.php That would tell them that the script that sent the email was at www.yourdomain.com/yourfolder/emailer.php and that it was sent using a browser with IP# 209.255.255.255 , for example. That way host knows what script to go investigate. THIS is good on the server-end, as helps catch spammers. The BAD part is that it tells anyone who gets the email what URL they can go to abuse the script themselves - SO, password protect scripts or directories that send email, or make them part of coding whereby just visiting the URL itself with known variables attached doesn't just send-out emails! |
Thanks for the explanation Maximum, I figured that's what SecondVision was saying but just wanted to make sure! Thanks again for the help, both of you repd! pc |
Your above script is open to mail header injection which can be used for spamming. Make sure to sanitize the variables BEFORE they hit the mail() function. |
You need "\r\n" after each header line, so it should look like: Code:
Be very very careful if you are allowing any user input (GET, POST, COOKIE etc) to affect the arguments to your mail function call. Obviously allow a user to set the "to:" field would be bad. A common spammer trick is to put "\r\n" into a "subject:" or "from:" field. The mailer then takes the part after the "\r\n" as a new header (which could be a "to:" , "cc:" or "bcc:" header) and can be used to abuse the form. Many (most?) hosts will protect against this type of attack now, but there is a chance that yours (or someone elses if you give the script to them) will not. |
| All times are GMT -7. The time now is 05:49 PM. |
Powered by: vBulletin Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Search Engine Friendly URLs by vBSEO 2.4.0