-4

I have a php script using the mail function I would just like to know if someone sees a problem with this script before I contact the sys admin as he will probably not answer for a while

$headers = 'MIME-Version: 1.0' . "\r\n";
$headers.= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";
$rating=$_POST['Rate'];
$subject= "review from website";
$name=$_POST['lname'].", ".$_POST['name'];
$from = $_POST['email'];
$to ="email@gmail.com";
$messageTo="BBComputers";
$headers = "From: ".$from. "\r\n";
$message = htmlspecialchars($_POST['comment']);
$about = $_POST['product'];
$date=date("n-j-y \a\\t g:ia\n");
mail($to,$subject,$message,$headers);
user2938331
  • 29
  • 1
  • 2
  • 5
  • 4
    Please take a look at the **Related** section in the sidebar. ---> – Amal Murali Oct 30 '13 at 17:14
  • This is [a very popular question here](http://stackoverflow.com/search?q=PHP+mail+function+not+sending)! To fix, use a proper mail library, like SwiftMailer. – halfer Oct 30 '13 at 17:23

1 Answers1

3

I see a whole bunch of problems:

  • Your to address is incorrect: lose the trailing ;

  • There is no input validation.

  • Potential for header injection ($_POST["email"])

  • There is a random htmlspecialchars in there (why?)

  • $rating, $messageTo, $nameand $about are defined but never used.

Halcyon
  • 57,230
  • 10
  • 89
  • 128
  • $rating is used and htmlspecialchars are used in a later bit of code to right to a file that can be read from a webbrowser. The input validation is done with javascript from the form. – user2938331 Oct 30 '13 at 17:18
  • "The input validation is done with javascript from the form" *cringe*. Input validation should at least be done server side, preferably client and server side. – John Dorean Oct 30 '13 at 17:22
  • @user2938331: you cannot rely on JavaScript to always validate your data, since it may not be supported on the client, and users can turn it off. – halfer Oct 30 '13 at 17:24
  • Always do input validation server-side. Any validation you do in JavaScript is convenience for the user, ie. _fail fast_. http://stackoverflow.com/questions/162159/javascript-client-side-vs-server-side-validation http://stackoverflow.com/questions/1125772/should-you-do-validation-on-the-server-side – Halcyon Oct 30 '13 at 17:26
  • thanks for that but the function isn't really being used yet. So, the major thing I'm testing for is just to see if it will send with input that I am entering. – user2938331 Oct 30 '13 at 17:27
  • Yes, and a bunch of spam too. If you show this to your sysadmin he will likely revoke your access to the mail server. If you want to test things do so in a _test_ environment. _"does this code work?"_ _"I don't know. RUN IT"_. – Halcyon Oct 30 '13 at 17:27