algorytmy.pl Porady  |  Foto  |  Kurs XHTML/CSS  |  Narzędzia  |  Encyklopedia  |  PP  |  Opinie  |  Abonament  
Portrety Uliczne Nieznajomych - zobacz wyjątkową galerię portretów z warszawskich ulic
ZALOGUJ SIĘ
login:
hasło:
przypomnij hasło
załóż konto użytkownika
(i zobacz kilka porad gratis)
   
WYSZUKIWARKA I DZIAŁY
zobacz jak szukać skutecznie
całe porady  tytuły
zaznacz działy do przeszukania
(brak wyboru = wszystkie działy)
PHP
MySQL >
PostgreSQL
SQLite
Perl
Java
XML
XSLT
XPath
WML
SVG
RegExp
Wyszukiwarki
Ochrona
VBScript
Google Plus
 XHTML/CSS
JavaScript
Grafika
Flash
Photoshop
Windows
Linux
Bash
Apache
Procmail
E-biznes
Explorer
Opera
Firefox
Inne porady
wszystkie porady / katalog
   
KURSY, DOKUMENTACJE
Własne:
XHTML/CSS
JavaScript
ActionScript
WML, RSS, SSI 		Pozostałe:
PHP
MySQL
Java API
więcej...
   
użytkowników online: 23
W CZYM MOGĘ POMÓC?


jak zadawać pytania
   
OPINIE UŻYTKOWNIKÓW
Po wysłaniu do Dariusza problemu jeszcze nie opisanego w poradach, odpowiedź pojawia się na stronach już po 24 godzinach. To jedna z najważniejszych zalet serwisu! Za około 100 złotych rocznie mam profesjonalnego i doświadczonego konsultanta od technologii internetowych! Polecam serwis z poradami każdemu webmasterowi, niezależnie od stażu pracy i umiejętności.

Paweł Kowalski
grupa hiperMEDIA.pl

więcej opinii klientów
   
GALERIA FOTOGRAFII
zobacz inne zdjęcia
   
PODRĘCZNIK PHP 5.x, 4.x, 3.x - częściowo spolszczony / źródło: www.php.net

[Spis] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [X] [W] [Z]

LXI. Poczta elektroniczna

Wstęp

Funkcja mail() umożliwia wysyłanie e-maili.

Wymagania

Do zbudowania tego rozszerzenia nie są wymagane żadne zewnętrzne biblioteki.

Instalacja

By używać tych funkcji, nie trzeba niczego instalować. Są one częścią jądra PHP.

Konfiguracja czasu wykonywania

Na działanie tych funcji wpływają ustawienia zawarte w pliku php.ini.

Tabela 1. Mail configuration options

NameDefaultChangeableChangelog
SMTP"localhost"PHP_INI_ALL 
smtp_port"25"PHP_INI_ALLAvailable since PHP 4.3.0.
sendmail_fromNULLPHP_INI_ALL 
sendmail_pathNULLPHP_INI_SYSTEM 
Szczegóły i definicje dotyczące stałych PHP_INI_* znajdują się w rozdziale Dodatek H.

Oto krótkie wyjaśnienie dyrektyw konfiguracji.

SMTP string

Used under Windows only: DNS name or IP address of the SMTP server PHP should use for mail sent with the mail() function.

smtp_port int

Used under Windows only: Number of the port to connect to the server specified with the SMTP setting when sending mail with mail(); defaults to 25. Only available since PHP 4.3.0.

sendmail_from string

Which "From:" mail address should be used in mail sent from PHP under Windows.

sendmail_path string

Where the sendmail program can be found, usually /usr/sbin/sendmail or /usr/lib/sendmail. configure does an honest attempt of locating this one for you and set a default, but if it fails, you can set it here.

Systems not using sendmail should set this directive to the sendmail wrapper/replacement their mail system offers, if any. For example, Qmail users can normally set it to /var/qmail/bin/sendmail or /var/qmail/bin/qmail-inject.

qmail-inject does not require any option to process mail correctly.

This directive works also under Windows. If set, smtp, smtp_port and sendmail_from are ignored and the specified command is executed.

Typy zasobów

To rozszerzenie nie posiada żadnych rodzajów zasobów.

Stałe predefinopwane

To rozszerzenie nie posiada żadnych stałych.

Spis treści
ezmlm_hash -- Oblicza wartość hash potrzebną dla EZMLM
mail -- Wysyła e-maila


User Contributed Notes

Holger Meier
31-Jan-2006 01:33

If you provide a contact form, don't give the user the possibility to write anything else than his e-mail address directly into the additional header. In my opinion the best way to prevent those hacks is to check the e-mail syntax and give the user a frontend wich doesn't allow to transfer other code directly into the header.

lawcd at ntlworld dot com
30-Jan-2006 06:38

For those of you with the exim, if its not sending mail with the -i option and you cant easily change this, you might want to check out the imap_mail() function which works almost exactly the same and doesnt use exim, most web hosts provide this. If you using your own server then php needs to be compiled with imap libraries etc.

See http://uk2.php.net/manual/en/function.imap-mail.php

expertphp at gmail dot com
27-Jan-2006 11:31

If you try to set "From:" e-mail header value under Windows when it is already defined in php.ini "sendmail_from" value, this will doesn't work. If you still want to customize this value, then you must use another option like XPertMailer ( http://www.xpertmailer.com/ ) to send the e-mail directly to the client SMTP server or use a relay SMTP server with authentification option.

eriksencosta at yahoo dot com dot br
02-Jan-2006 02:47

Pay attention when you use the "To:" in the email header. I had a problem in some serves when used "To:", I got some duplicated emails. Then just desconsider the "To:" in your email header.

17-Dec-2005 01:35

after having some trouble getting the mail() function to work with the IIS SMTP server i discovered the problem was simply that the SMTP server was set to 'localhost' in php.ini instead of the actual ip of the computer and hence IIS would filter the request out

Ben Cooke
15-Dec-2005 02:34

Note that there is a big difference between the behavior of this function on Windows systems vs. UNIX systems. On Windows it delivers directly to an SMTP server, while on a UNIX system it uses a local command to hand off to the system's own MTA.

The upshot of all this is that on a Windows system your  message and headers must use the standard line endings \r\n as prescribed by the email specs. On a UNIX system the MTA's "sendmail" interface assumes that recieved data will use UNIX line endings and will turn any \n to \r\n, so you must supply only \n to mail() on a UNIX system to avoid the MTA hypercorrecting to \r\r\n.

If you use plain old \n on a Windows system, some MTAs will get a little upset. qmail in particular will refuse outright to accept any message that has a lonely \n without an accompanying \r.

aweather88 at gmail dot com
14-Dec-2005 11:45

I spent hours searching the web trying to figure out why I was getting a "WARNING: mail(): SMTP server response: 501 5.5.4 Invalid Address " every time I was using the mail() function on my server (Win2K3,IIS 6.0,PHP4.4.1).  I knew everything was setup properly for SMTP based on other non IIS 6.0 configurations.

Turns out that the IIS 6.0 SMTP service does not like formatting of the "From" field in mail headers.  For instance:
<?PHP
   //This line DOES NOT send  mail message correctly
   $headers .= "From: \"".$fromname."\" <".$fromaddress.">\n";
?>
However this works:
<?PHP
   //This line sends mail message correctly
   $headers .= "From: \"".$fromaddress."\"\n";
?>

The fix is in Microsoft Article ID 291828 ( http://support.microsoft.com/?id=291828 ).  Even though the "bug" workaround is for IIS 6.0 on Exchange 2003 communicating with a UNIX server, THIS SOLVES THE PROBLEM.  Just skip down to the last section for Exchange 2003 and follow the instructions to modify the IIS 6 MetaBase with the MetaBase Explorer found in the IIS 6 Resource Kit.

appel att nr78 dott net
12-Dec-2005 11:38

Another modest attempt at tackling those pesky mailheader injections. Works quite well for me as it is, but i would appreciate any suggestions to improve it:

<?php

   /* name: input_check_mailinj()
     * sample usage: foreach($_POST as $value) input_check_mailinj($value);
     */

function input_check_mailinj($value)
{
   # mail adress(ess) for reports...
   $report_to = "abuse@yourdomain.com";

   # array holding strings to check...
   $suspicious_str = array
   (
       "content-type:"
       ,"charset="
       ,"mime-version:"
       ,"multipart/mixed"
       ,"bcc:"
   );

   // remove added slashes from $value...
   $value = stripslashes($value);

   foreach($suspicious_str as $suspect)
   {
       # checks if $value contains $suspect...
       if(eregi($suspect, strtolower($value)))
       {
           // replace this with your own get_ip function...
           $ip = (empty($_SERVER['REMOTE_ADDR'])) ? 'empty'
               : $_SERVER['REMOTE_ADDR'];
           $rf = (empty($_SERVER['HTTP_REFERER'])) ? 'empty'
               : $_SERVER['HTTP_REFERER'];
           $ua = (empty($_SERVER['HTTP_USER_AGENT'])) ? 'empty'
               : $_SERVER['HTTP_USER_AGENT'];
           $ru = (empty($_SERVER['REQUEST_URI'])) ? 'empty'
               : $_SERVER['REQUEST_URI'];
           $rm = (empty($_SERVER['REQUEST_METHOD'])) ? 'empty'
               : $_SERVER['REQUEST_METHOD'];

           # if so, file a report...
           if(isset($report_to) && !empty($report_to))
           {
               @mail
               (
                     $report_to
                   ,"[ABUSE] mailinjection @ " .
                   $_SERVER['HTTP_HOST'] . " by " . $ip
                   ,"Stopped possible mail-injection @ " .
                   $_SERVER['HTTP_HOST'] . " by " . $ip .
                   " (" . date('d/m/Y H:i:s') . ")\r\n\r\n" .
                     "*** IP/HOST\r\n" . $ip . "\r\n\r\n" .
                     "*** USER AGENT\r\n" . $ua . "\r\n\r\n" .
                     "*** REFERER\r\n" . $rf . "\r\n\r\n" .
                     "*** REQUEST URI\r\n" . $ru . "\r\n\r\n" .
                     "*** REQUEST METHOD\r\n" . $rm . "\r\n\r\n" .
                     "*** SUSPECT\r\n--\r\n" . $value . "\r\n--"
               );
           }

           # ... and kill the script.
           die
           (
               'Script processing cancelled: string
               (`<em>'.$value.'</em>`) contains text portions that
               are potentially harmful to this server. <em>Your input
               has not been sent!</em> Please use your browser\'s
               `back`-button to return to the previous page and try
               rephrasing your input.</p>'
           );
       }
   }
}

?>

s e l m a n 1 7 at y a h o o dot c o m
10-Dec-2005 09:55

<?
// if you have a problem same spam enginie or hotmail use these
// sample headers.( mail your friends, maili you.)
   $headers="";
   $headers .= "X-Sender:  $mail <$mail>\n"; //
   $headers .="From: $maili <$maili>\n";
   $headers .= "Reply-To: $maili <$maili>\n";
   $headers .= "Date: ".date("r")."\n";
   $headers .= "Message-ID: <".date("YmdHis")."selman@".$_SERVER['SERVER_NAME'].">\n";
   $headers .= "Subject: $subject\n"; // subject write here
   $headers .= "Return-Path: $maili <$maili>\n";
   $headers .= "Delivered-to: $maili <$maili>\n";
   $headers .= "MIME-Version: 1.0\n";
   $headers .= "Content-type: text/html;charset=ISO-8859-9\n";
   $headers .= "X-Priority: 1\n";
   $headers .= "Importance: High\n";
   $headers .= "X-MSMail-Priority: High\n";
   $headers .= "X-Mailer: SelmanD Mailler With PHP!\n";

?>

tinus
09-Dec-2005 10:50

as to fred's posting, I had to change the code a bit:
-add a hashbang
-add "-t -i " to the sendmail call

great idea though.

#!/usr/bin/php
<?php

       $tmpfile = "/tmp/" . uniqid('') . ".mail";

       $fp = fopen($tmpfile,"w");

       fwrite($fp,"x-wls-cc-filter: On\n");
       while($line = fgets(STDIN))
       {
               $line = ereg_replace("^bcc:","x-wlsspam-bcc:",$line);
               $line = ereg_replace("^cc:","x-wlsspam-cc:",$line);
               fwrite($fp,$line);
       }
       fclose($fp);

       $cmd = '/usr/sbin/sendmail -t -i ';
       for($i = 1 ; $i < $argc; $i++)
       {
               $cmd .= $argv[$i];
               $cmd .= ' ';
       }
       $cmd .= "<$tmpfile";
       system($cmd);
?>

fred at webblake dot net
08-Dec-2005 05:29

I just thought this would be useful for someone.

It's one thing to write your mail forms so they don't support spam via header injection. It's quite another to run a hosting operation with hundreds of web sites that are controlled by different webmasters and customers that do not want to pay to have thier sites fixed. In fact it's very difficult to identify all the buggy sites. As a result, I came up with this little sendmail wrapper. I made this as a cli script and used it as a replacement for sendmail in the php.ini file. Since our web servers have no reason to send BCC and CC Header, this script renames them so they don't work.

You would also need to write a script to clean up the temporary files. This script could save messages that were spamming attempts so you can study them later. It would just look for the replacement headers to determine if it was a spamming attempt.

<?php

       $tmpfile = "/tmp/" . uniqid('') . ".mail";

       $fp = fopen($tmpfile,"w");

       fwrite($fp,"x-wls-cc-filter: On\n");
       while($line = fgets(STDIN))
       {
               $line = ereg_replace("^bcc:","x-wlsspam-bcc:",$line);
               $line = ereg_replace("^cc:","x-wlsspam-cc:",$line);
               fwrite($fp,$line);
       }
       fclose($fp);

       $cmd = '/usr/sbin/sendmail ';
       for($i = 1 ; $i < $argc; $i++)
       {
               $cmd .= $argv[$i];
               $cmd .= ' ';
       }
       $cmd .= "<$tmpfile";
       system($cmd);
?>

sk8boardkid at gmail dot com
27-Nov-2005 12:53

If you use PHP in a *nix chroot environment your php installation will need access to /bin/sh to run sendmail otherwise the mail() function will fail.

remo at tourist dot sk
09-Nov-2005 03:36

i spent 4 hours finding out how to send UTF-8 plain text mail, so here is my working sollution (PHP 5, Debian):

<?php
$subject = "subject";
$message = "message"

//dont forget quotes around "name", else it won't be displayed correctly in utf-8
$from = "From: \"".$_POST['name']."\" <".$_POST['mail'].">";

mb_language('Neutral');
mb_internal_encoding("UTF-8");
mb_http_input("UTF-8");
mb_http_output("UTF-8");
mb_send_mail($to, $subject, $message, $from);

?>

hopefully this will be usefull for someone..

spinningvertex at gmail dot com
02-Nov-2005 11:38

I found the mail validator http://www.apps.ietf.org/msglint.html  to be very usefull.

thomas at deliduka dot com
02-Nov-2005 01:26

I came up with snippet of code that may help some people with the injection problem. Hope this helps.

<?
foreach ($_POST as $j =>$value) {
   if (stristr($value,"Content-Type")) {
       header("HTTP/1.0 403 Forbidden");
       echo "YOU HAVE BEEN BANNED FROM ACCESSING THIS
           SERVER FOR TRIGGERING OUR SPAMMER TRAP";
       exit;
   }
}
?>

Pete Wake
12-Oct-2005 08:22

I too have had someone trying to use my site to send spam email by injecting headers and using a bcc: address. One way to stop this is by creating a multipart message as shown in the code below.

Note that to pass the 'antispam' checks of hotmail etc. you should set up automailer@mysite.com as a "real" email account, so that if anyone checks it'll actually be there.

<?php

// YOU CAN SET THESE ALL UP YOURSELF

DEFINE("NAME","MySite");
DEFINE("RETURN_ADDRESS","automailer@mysite.com");

$contactemail="personToContact@their-email.com";
$contactname="Person to Contact";

$subject="The subject";
$messageNotHTML="This is the message in text format";

// THE MAIN FUNCTIONALITY

$boundary = md5(time().rand(1,100));

$headers = "MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=\\"{$boundary}"
X-Mailer: PHPmailer
From: \\"".NAME."" <".RETURN_ADDRESS.">
";

$message = "
--{$boundary}
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

$messageNotHTML

--{$boundary}--

";

$didmail = mail("\\"".$contactname."" <".$contactemail.">", $subject, $message, $headers);
?>

expertphp at yahoo dot com
08-Oct-2005 03:45

Send an e-mail directly to client smtp server in real time.
For more informations, please visit : http://expert.no-ip.org/?free=smtp_mail&func

<?php

@set_time_limit(0);
 
require_once 'smtp_mail.php';
 
$to = "expertphp@yahoo.com";
$from = "from@myaccount.com";
$subject = "Subject here";
 
$headers = "MIME-Version: 1.0\r\n".
   "Content-type: text/html; charset=iso-8859-1\r\n".
   "From: \"My Name\" <".$from.">\r\n".
   "To: \"Client\" <".$to.">\r\n".
   "Date: ".date("r")."\r\n".
   "Subject: ".$subject."\r\n";
 
$message = "
<html>
<body>
<b>html message</b><br>
<font color=\"red\">here</font>
<img src=\"http://static.php.net/www.php.net/images/php.gif\"
border=\"0\" alt=\"\">
</body>
</html>
";

$response = smtp_mail($to, $subject, $message, $from, $headers);
 
if($response[0]) echo "The message has been sent !<br />\n".$response[1];
else echo "The message can not been sent !<br />\n".$response[1];
 
?>

fnjordy at gmail dot com
05-Oct-2005 11:54

Another example of sending a utf-8 HTML mail:

$to = 'bob@barnyard.com';
$subject = 'Wakeup bob!';
$message = '<b>yo</b>, whassup?';
$headers = "From: server@barnyard.com\r\n" .
       'X-Mailer: PHP/' . phpversion() . "\r\n" .
       "MIME-Version: 1.0\r\n" .
       "Content-Type: text/html; charset=utf-8\r\n" .
       "Content-Transfer-Encoding: 8bit\r\n\r\n";

// Send
mail($to, $subject, $message, $headers);

Alan Poole
25-Sep-2005 09:26

Theres a bunch of code for email stuff here for attachments, smtp, pop3 etc:

http://www.phpguru.org/

fontajos at phpeppershop dot com
21-Sep-2005 05:24

Problems with Microsoft Exchange and PHP as ISAPI-module

We found out, that if you want to send multipart mime emails using the PHP mail-function on a Windows box using a Microsoft Exchange server, you have to use separate containers for the mail body and the mail header.

In many examples like in http://www.zend.com/zend/trick/html-email.php or in the book PHP developers cookbook you find html multipart/alternative mailing solutions that build the mime header and the mail body into one PHP variable and send this as fourth argument (header) to the PHP mail-function. This works fine on most systems but not on the above mentioned combination.

We found a rather trivial solution: Simply split the mime mail header and the mail body into two separate variables and give them separately to the PHP mail function, example:

<?php
//add From: header
$headers = "From: webserver@localhost\r\n";

//specify MIME version 1.0
$headers .= "MIME-Version: 1.0\r\n";

//unique boundary
$boundary = uniqid("HTMLDEMO");

//tell e-mail client this e-mail contains//alternate versions
$headers .= "Content-Type: multipart/mixed; boundary = $boundary\r\n\r\n";

//plain text version of message
$body = "--$boundary\r\n" .
   "Content-Type: text/plain; charset=ISO-8859-1\r\n" .
   "Content-Transfer-Encoding: base64\r\n\r\n";
$body .= chunk_split(base64_encode("This is the plain text version!"));

//HTML version of message
$body .= "--$boundary\r\n" .
   "Content-Type: text/html; charset=ISO-8859-1\r\n" .
   "Content-Transfer-Encoding: base64\r\n\r\n";
$body .= chunk_split(base64_encode("This the <b>HTML</b> version!"));

//send message
mail("root@localhost", "An HTML Message", $body, $headers);
?>

valeriogiuffrida at hotmail dot com
09-Sep-2005 11:53

Sometimes using that headers:

$header = "Return-Path: lostpass@website.net\n";
$header .= "X-Sender: lostpass@website.net\n";
$header .= "From: This is my website <lostpass@website.net>\n";
$header .= "X-Mailer:PHP 5.1\n";
$header .= "MIME-Version: 1.0\n";

Gmail and Hotmail could consider it as "spam", so I just inserted before to send email:

 ini_set(sendmail_from, "lostpass@mywebsite.net");

and ini_restore after it...

chris at free-source dot com
03-Aug-2005 09:56

For those calling this "exploit" a bug in php, you are wrong.  This is just like SQL-injection, how if the mail() function supposed to knwo that you didn't want to send a multipart message or that you didn't want to send a BCC?  it can't.  YOU MUST validate ALL user input.  To everything.  Period.

pkringle at planetnet dot org
28-Jul-2005 11:45

I just had the same thing happen to me also.  I found this nice doc on the issue. And on how to prevent it.

http://securephp.damonkohler.com/index.php/Email_Injection

thomas at nospam dot deliduka dot com
28-Jul-2005 05:56

Last night we had a spammer use our form-to-mail system to send spam. I had protected the 'to' field in the function so I couldn't understand how they were using it to send to other people.

So, I added tracking information to anyone who posts to the form and they tried again this morning. This is what I found out.  They were posting a message within a message.

In all the variables sent with the form they had this (they were using another program to post directly to the form):

vltrwe@domain.com
Content-Type: multipart/mixed; boundary="===============1998658368=="
MIME-Version: 1.0
Subject: 9c954098
To: victim@domain.com
bcc: victim@domain2.com
From: vltrwe@domain.com

This is a multi-part message in MIME format.

--===============1998658368==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

SPAM MESSAGE HERE.
--===============1998658368==--

So, the system, when passed this information in the header of the e-mail thought it was the continuation of the format and it sent the additional email data and thus spam goes out.  Clear as mud?

I have never seen such a clever, if you will, hacking tool.  This is downright devious. Protect ANY variables being sent to ANY function. I am looking for "Content-Type:" since I am sure this is the only way to do this. If it's not, I'll know about it because my tracking data is still there.

jfonseca at matarese dot com
26-Jul-2005 03:42

Hi, from the example below :

   $headers .= "From: \"".$fromname."\" <".$fromaddress.">\n";
   return mail($toaddress, $subject, $message, $headers);

This will allow a SMTP injection attack on your feedback form.

Make sure you end your headers with \r\n\r\n or the missing \r\n will allow the attacker to inject additional headers.

The main use for this common flaw is to use your contact form for spam.

Remember: always triple-check user input that does anything meaningful.

sadikkeskin at hotmail dot com
18-Jul-2005 01:37

hi all programmer
this code is a simple code for attachment mail for use whitout class

<?php
$type = array('gif'  => 'image/gif',
                       'jpg'  => 'image/jpeg',
                       'jpeg' => 'image/jpeg',
                       'jpe'  => 'image/jpeg',
                       'bmp'  => 'image/bmp',
                       'png'  => 'image/png',
                       'tif'  => 'image/tiff',
                       'tiff' => 'image/tiff',
                       'swf'  => 'application/x-shockwave-flash',
                       'doc'  => 'application/x-msword',
                       'xls'  => 'application/x-msexel',
                   'bilinmiyor'  => '"application/x-unknown-content-type"');
$header="";
$message="";
$boundary='--' . md5( uniqid("myboundary") );
$priorities = array( '1 (Highest)', '2 (High)', '3 (Normal)', '4 (Low)', '5 (Lowest)' );
$priority=$priorities[3];
$charset="iso-8859-9";
$ctencoding="8bit";
$subject="merhaba";
$body="merhaba arkada

 

 
  © 1996-2012 & Reporter.plmiejscao serwisieabonamentwarunki korzystaniaRSSkontakt