9 Replies - 685 Views - Last Post: 01 September 2015 - 09:03 AM Rate Topic: -----

#1 codespook  Icon User is offline

  • D.I.C Head

Reputation: 0
  • View blog
  • Posts: 201
  • Joined: 31-October 12

cannot send email from script

Posted 31 August 2015 - 03:21 PM

Revisiting my mail script. I have a form which sends 3 variables, name, email, and phone number to mail.php. The mail() function is not sending me the email though although I do get success.html coming up fine. But when I put it at mail.php in the debugger in firefox, there are no php errors, so unsure why I am not receiving the test email. Thanks

<?php

// Get values from form
$name   =     $_POST['name'];
$phone   =    $_POST['phone'];
$email   =    $_POST['email'];


//email setup
$to = $email;
$subject = "ree Subscription";
$message = " <html><head>
<style type='text/CSS'>
body   {
	background:#efefef;
}

</style>
<title>Thank you</title></head>
<body>
<p>Thank you, $name, for subscribing.</p>
</body>
</html>
";

$from = "[email protected]";
$headers = 'MIME-Version: 1.0' . "\r\n";
$headers = "From:" . $from . "\r\n";
$headers .= "Content-type: text/html; charset=UTF-8" . "\r\n"; 


if(@mail($to, $subject,$message,$headers))
{
  print "<script>document.location.href='http://www.thepage.org/success.html';</script>";
  // ExOffender Nation
}else{
  echo "Error! Please try again.";
}



?>



This post has been edited by JackOfAllTrades: 31 August 2015 - 03:22 PM
Reason for edit:: Fixed code tags


Is This A Good Question/Topic? 0
  • +

Replies To: cannot send email from script

#2 JackOfAllTrades  Icon User is offline

  • Saucy!
  • member icon

Reputation: 6245
  • View blog
  • Posts: 24,013
  • Joined: 23-August 08

Re: cannot send email from script

Posted 31 August 2015 - 03:22 PM

Moved to PHP.
Was This Post Helpful? 0
  • +
  • -

#3 Atli  Icon User is offline

  • Enhance Your Calm
  • member icon

Reputation: 4238
  • View blog
  • Posts: 7,216
  • Joined: 08-June 10

Re: cannot send email from script

Posted 31 August 2015 - 03:48 PM

  • The @ in front of the mail() call suppresses any error that call would potentially make. Rule of thumb: don't use the @ symbol like that. Not unless you're 200% sure you know what you're doing, and the effect it has.

  • The $headers setter on line #28 overwrites the value set in the previous line, rather than adding to it.

  • Why do you print a Javascript redirect? In that situation, a PHP header("Location: ..."); call would make much more sense.


F.Y.I, the PHP script is not actually responsible for sending the email. The mail() function is just a front for the sendmail binary (99.9% of the time, anyways), and is only responsible for passing your email request on to that. The sending can in fact fail without PHP ever being aware of it. - If you can't find a problem in the PHP script itself, make sure the server is properly configured and able to send emails.
Was This Post Helpful? 0
  • +
  • -

#4 codespook  Icon User is offline

  • D.I.C Head

Reputation: 0
  • View blog
  • Posts: 201
  • Joined: 31-October 12

Re: cannot send email from script

Posted 31 August 2015 - 06:50 PM

I found this on hostgator site
http://support.hostg...ndmail-with-php

It's more wordy, but it's the same thing I'm ding though
Was This Post Helpful? 0
  • +
  • -

#5 aryvartit  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 9
  • Joined: 01-September 15

Re: cannot send email from script

Posted 01 September 2015 - 03:36 AM

This is fine for me

pax> mail -s "hello" "pax" <<EOF
hi there
EOF

pax> mailx
Mail version 8.1.2 01/15/2001. Type ? for help.
"/var/mail/pax": 1 message 1 new
>N 1 [email protected] Sat Jun 14 10:25 16/629 hello
& _

you should try it with a local address first
Was This Post Helpful? 0
  • +
  • -

#6 Atli  Icon User is offline

  • Enhance Your Calm
  • member icon

Reputation: 4238
  • View blog
  • Posts: 7,216
  • Joined: 08-June 10

Re: cannot send email from script

Posted 01 September 2015 - 04:02 AM

View Postcodespook, on 01 September 2015 - 01:50 AM, said:

I found this on hostgator site
http://support.hostg...ndmail-with-php

It's more wordy, but it's the same thing I'm ding though

The code that article shows is pretty poor. It's got some flawed logic in there, is open to some basic security issues (XSS), and uses a switch statement in a very odd manner. And it's always a huge red flag when scripts routinely use the @ symbol to hide errors.

Here is a slightly less poorly written version of that script. I've explained the reasons for the differences in the comments.
<?php
if ($_SERVER["REQUEST_METHOD"] == "POST") {
    // A function to test the input values. Far less messy and reusable then the SWITCH.
    function validateInput() {
        // These fields were apparently just being checked against being empty.
        // So lets simplify that, and remove all those pointless IF clause.
        $validateNotEmpty = array(
            "fname" =>  "First Name required. Please try again.",
            "lname" => "Last Name required. Please try again.",
            "saddy" => "Street Address required. Please try again.",
            "scity" => "City required. Please try again.",
        );
        foreach ($validateNotEmpty as $fieldName => $errorMessage) {
            if (empty($_POST[$fieldName])) {
                return $errorMessage;
            }
        }

        // Instead of using a custom regex to validate emails, you can use
        // the build int filter_input and filter_var functions.
        if (!filter_input(INPUT_POST, "femail", FILTER_VALIDATE_EMAIL)) {
            return "Primary Email Address is incorrect. Please try again.";
        }
        if (!filter_input(INPUT_POST, "f2email", FILTER_VALIDATE_EMAIL)) {
            return "Secondary Email Address is incorrect. Please try again.";
        }

        // These are custom validations, so lets leave them as they were.
        if (!preg_match("/^[0-9A-Za-z -]+$/", $_POST['szip']))  {
            return "Zip/Post Code required. Please try again.";
        }
        if (!preg_match("/^[0-9 #\-\*\.\(\)]+$/", $_POST['fphone1'])) {
            return "Phone Number 1 required. No letters, please.";
        }

        return false;
    }

    // Validate and make sure there are no errors, before sending.
    $message = validateInput();
    if (!$message) {
        // Compose the email. Note that I'm am reading the values directly
        // from the $_POST array. There is no point assigning them to
        // local variables unless you intend to do something with them.
        // If the only thing you do is print/show them, then it's pointless.
        $emess = "First Name: " . $_POST['fname'] . "\n";
        $emess.= "Middle Name: ". $_POST['mname'] ."\n";
        $emess.= "Last Name: ". $_POST['lname'] ."\n";
        $emess.= "Email 1: ". $_POST['femail'] ."\n";
        $emess.= "Email 2: ". $_POST['f2email'] ."\n";
        $emess.= "Street Address: ". $_POST['saddy'] ."\n";
        $emess.= "Apt/Ste: ". $_POST['sapt'] ."\n";
        $emess.= "City: ". $_POST['scity'] ."\n";
        $emess.= "State: ". $_POST['sstate'] ."\n";
        $emess.= "Zip/Post Code:". $_POST['szip'] ."\n";
        $emess.= "Country: ". $_POST['scountry'] ."\n";
        $emess.= "Phone number 1: ". $_POST['fphone1'] ."\n";
        $emess.= "Phone number 2: ". $_POST['fphone2'] ."\n";
        $emess.= "Phone number 3: ". $_POST['fphone3'] ."\n";
        $emess.= "Comments: ". $_POST['fsendmail'] ;

        $myemail = "[email protected]";
        $ehead = "From: ". $_POST['femail'] ."\r\n";
        $subj = "An Email from ".$_POST['fname']." ".$_POST['mname']." ".$_POST['lname']."!";

        // Checking the return value of function is always best.
        // Otherwise the function might fail without you ever noticing.
        if (mail($myemail, $subj, $emess, $ehead)) {
            header("Location: thank_you.html");
            exit; // Always remember the "exit" after a header location!
        }
        else {
            $message = "Could not send email. Please try again.";
        }
    }
}

// A small function to simplify re-displaying values in the input elements.
// It'll validate and sanitize the field value, to avoid XSS attacks.
function getField($name) {
    if (!empty($_POST[$name])) {
        return htmlentities($_POST[$name], ENT_QUOTES, "UTF-8");
    }
    return "";
}
?>

<!DOCTYPE HTML>
<html>
<head>
    <title>Email Form</title>
    <meta charset="UTF-8">
</head>
<body>
<form action="email_form.php" method="POST">
    <p>* Required fields</p>
    <?php
    if (!empty($message)) {
        echo '<p style="color:red;">'.$message.'</p>';
    }
    ?>
    <table border="0" width="500">
        <tr><td align="right">* First Name: </td>
            <td><input type="text" name="fname" size="30" value="<?php echo getField("fname") ?>"></td></tr>
        <tr><td align="right">Middle Name: </td>
            <td><input type="text" name="mname" size="30" value="<?php echo getField("mname") ?>"></td></tr>
        <tr><td align="right">* Last Name: </td>
            <td><input type="text" name="lname" size="30" value="<?php echo getField("lname") ?>"></td></tr>
    </table>
    <p>
    <table border="0" width="500">
        <tr><td align="right">* Primary Email: </td>
            <td><input type="text" name="femail" size="30" value="<?php echo getField("femail") ?>"></td></tr>
        <tr><td align="right">Secondary Email: </td>
            <td><input type="text" name="f2email" size="30" value="<?php echo getField("f2email") ?>"></td></tr>
    </table>
    <p>
    <table border="0" width="600">
        <tr><td align="right">* Street Address: </td>
            <td><input type="text" name="saddy" size="40" value="<?php echo getField("saddy") ?>"></td></tr>
        <tr><td align="right">Apartment/Suite Number: </td>
            <td><input type="text" name="sapt" size="10" value="<?php echo getField("sapt") ?>"></td></tr>
        <tr><td align="right">* City: </td>
            <td><input type="text" name="scity" size="30" value="<?php echo getField("scity") ?>"></td></tr>
        <tr><td align="right">State: </td>
        <td><input type="text" name="sstate" size="10" value="<?php echo getField("sstate") ?>"></td></tr>
        <tr><td align="right">* Zip/Post Code: </td>
            <td><input type="text" name="szip" size="10" value="<?php echo getField("szip") ?>"></td></tr>
        <tr><td align="right">Country: </td>
            <td><input type="text" name="scountry" size="30" value="<?php echo getField("scountry") ?>"></td></tr>
    </table>
    <p>
    <table border="0" width="500">
        <tr><td align="right">* Phone Number 1: </td>
            <td><input type="text" name="fphone1" size="20" value="<?php echo getField("fphone1") ?>"></td></tr>
        <tr><td align="right">Phone Number 2: </td>
            <td><input type="text" name="fphone2" size="20" value="<?php echo getField("fphone2") ?>"></td></tr>
        <tr><td align="right">Phone Number 3: </td>
            <td><input type="text" name="fphone3" size="20" value="<?php echo getField("fphone3") ?>"></td></tr>
    </table>
    <p>
    <table border="0" width="500"><tr><td>
                Comments:<br />
                <TEXTAREA name="fsendmail" ROWS="6" COLS="60"><?php echo  getField("fsendmail"); ?></TEXTAREA>
            </td></tr>
        <tr><td align="right"><input type="submit" value="Send Now">
            </td></tr>
    </table>
</form>
</body>
</html>


Was This Post Helpful? 0
  • +
  • -

#7 astonecipher  Icon User is offline

  • Too busy for this
  • member icon

Reputation: 2329
  • View blog
  • Posts: 9,356
  • Joined: 03-December 12

Re: cannot send email from script

Posted 01 September 2015 - 05:06 AM

An example of when to use the error suppressor is something like this:


<form>
<input type='text' name='last_name' value='<?php echo @$_POST['last_name']; ?>'>
</form>


Using the error suppressor here is trivial. But, it works in the same manner as this:

<form>
<input type='text' name='last_name' value='<?php if ( isset( $_POST['last_name'] ) echo $_POST['last_name']; ?>'>
</form>


Without being wordy. Others dislike this as well, but it is an appropriate usage, because the worse it will do is say 'undefined variable'.
Was This Post Helpful? 0
  • +
  • -

#8 Atli  Icon User is offline

  • Enhance Your Calm
  • member icon

Reputation: 4238
  • View blog
  • Posts: 7,216
  • Joined: 08-June 10

Re: cannot send email from script

Posted 01 September 2015 - 07:19 AM

I'll have to strongly disagree with that advice.
An "undefined" message is not even close to being the worst outcome from that kind of usage.

You are making the form wide open to XSS attacks.

All an attacker would have to do is fake a request like this, and they could run whatever JS code they wanted.
POST /email_form.php HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 92

last_name=%27%3E%3Cscript%3Ealert%28%27This+is+not+a+good+idea%21%27%29%3C%2Fscript%3E%3C%27



You'd always have to introduce some sort of validation and/or sanitation, in which case dumping it all into the HTML, into that one line, is going to be a pain. Using a function, like the one I used in my previous snippet, would be preferable in pretty much all scenarios.
Was This Post Helpful? 0
  • +
  • -

#9 astonecipher  Icon User is offline

  • Too busy for this
  • member icon

Reputation: 2329
  • View blog
  • Posts: 9,356
  • Joined: 03-December 12

Re: cannot send email from script

Posted 01 September 2015 - 07:32 AM

If that is how it came across, that is not what I meant. Now, can you show how that attack would be different if someone used this :
<input type='text' name='last_name' value='<?php if ( isset( $_POST['last_name'] ) echo $_POST['last_name']; ?>'>


instead of the error suppressor? Because, I don't see a difference. If the value is there it displays. If not, it hides the warning.
Was This Post Helpful? 0
  • +
  • -

#10 Atli  Icon User is offline

  • Enhance Your Calm
  • member icon

Reputation: 4238
  • View blog
  • Posts: 7,216
  • Joined: 08-June 10

Re: cannot send email from script

Posted 01 September 2015 - 09:03 AM

There is obviously no difference. Those are just two ways to do the same thing.
Both of which are inappropriate.

I get what you were trying to get across there, but you did it in possibly the worst way imaginable. Less experienced developers won't get the danger inherent in your example.

In general, the error suppression symbol is a shortcut around proper validation and/or sanitation. There are obviously some cases where it can be used in an acceptable way, but not one of those come anywhere near raw user input, like you get from the $_POST array.


Which is why I advice people to stay clear of it, unless they absolutely understand what it is doing under the circumstances, and the effect it will have. It can be a dangerous tool if people don't fully comprehend it, both (as in this case) as far as security goes, and by making debugging a pain.
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1