1

I'm trying to improve the way I email form submissions using PHP. At the moment my code looks like this:

<?php
  //==== FORM DATA
  $name = $_REQUEST['cName'];
  $email = $_REQUEST['cEmail'];
  $message = $_REQUEST['cMessage'];

  //==== EMAIL DETAILS
  $to = "myemailaddress@test.com";
  $subject = "Web Query";
  $headers .= "From:".$email;
  $headers .= "MIME-Version: 1.0\r\n";
  $headers .= "Content-Type: text/html; charset=ISO-8859-1\r\n";

  //==== EMAIL CONTENT
  $content =
  "<b>From: </b>".$name."<br />".
  "<b>Email: </b>".$email."<br /><br />".
  "<b>Message: </b>".$message;

  //==== SEND EMAIL
  mail($to, $subject, $content, $headers);
?>

There's one potential flaw I've spotted in the way I do it. I put in the 'to' email address and I'm worried that might lead to spam (all other data comes from the html form submission except the 'to' address which is straight into the PHP). What is the easiest way to obfuscate that email address and is it neccessary to do so?

MMM
  • 7,221
  • 2
  • 24
  • 42
CaribouCode
  • 13,998
  • 28
  • 102
  • 174

4 Answers4

2

your email address is set inside your PHP code, so it is not exposed to the client browser.

However, you are using unprotected form data in your email headers (as pointed out by MMM) this is of far greater concern and should be addressed before putting this code live.

Chris
  • 2,955
  • 1
  • 30
  • 43
  • 1
    `-1` - he's not safe! He's using `$_REQUEST` and embedding it directly in the headers! That allows for header injections. – MMM May 25 '13 at 11:04
  • using no-reply@... is never a good option and not userfriendly –  May 25 '13 at 11:07
  • 1
    @Cube32: You're stating that his code is safe, and that's false, regardless if you're attempting to answer his question or not. – MMM May 25 '13 at 11:08
  • @MMM i've tried to reflect your comments with a change to the answer – Chris May 25 '13 at 11:18
  • @Cube32 Thanks for the help. So I'm guessing the only field I need to protect is the 'from email'? What's the best way to do that? – CaribouCode May 25 '13 at 12:22
2

you should be escaping your $_REQUEST variables before using them eg with mysql_real_escape_string and you should check, if they have the right value types and validate them using custom functions (valid email?) using filter_var like My Common Sense mentioned: https://stackoverflow.com/a/16748986/753676

Community
  • 1
  • 1
1

if you are looking to avoid mail not to be treated as spam you should try sending mail using smtp authentication.For this you can use phpmailer

sAnS
  • 1,169
  • 1
  • 7
  • 10
  • that does not solve the problem with spam filters, there are many factors which may alert the spam filter (like the content, image urls, subject line and much more) –  May 25 '13 at 11:11
  • @DanielRuf Ruf..So far if all is going normal then smtp auth will work and you will get your mail in inbox.but if your content is suspicious and there are complex spam protection in your mail server you will not get the mail in the inbox even if you send from trusted mail.i am using so far no problem found.. – sAnS May 25 '13 at 11:16
  • then you have luck, some mail clients and servers don't like it, if you use image urls and you need sometimes to attach and include the images to avoid that clients mark it as spam or block the images –  May 25 '13 at 11:21
  • @DanielRuf i don't know i may have luck so far i used in 100 web sites :) .. – sAnS May 25 '13 at 11:22
  • if you do not use html emails with attachments ;-) –  May 25 '13 at 11:25
  • @DanielRuf i do send 10-15 property images,cvs,pdfs n a lot more as attachment :) – sAnS May 25 '13 at 11:26
1
$name = htmlspecialchars($_REQUEST['cName']);
$email = filter_var($_REQUEST['cEmail'], FILTER_VALIDATE_EMAIL);
$message = htmlspecialchars($_REQUEST['cMessage']);
Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
  • this should be used, thanks =) almost forgot these little "helpers" because I mostly used just frameworks which did all these validation tasks automatically (better than reinventing the wheel and not using a framework like ZF) :D –  May 25 '13 at 11:30
  • I tried usng the htmlspecialchars but it just breaks the process and no-longer sends the email... – CaribouCode May 25 '13 at 11:51
  • what is the result / content of $message after this? –  May 26 '13 at 12:44