#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2013
    Posts
    5
    Rep Power
    0

    Angry Mail () function not working with variable declared for destination e-mail


    Have been struggling for long with this problem now!!
    I am using the following to send web based e-mail

    mail($to, $subject, $mailcontent, $headers);

    Variables declared as below and obtained from a submitted form or extracted from a database:

    $to = "To: ".$seller_email. "\r\n"; or $to =$seller_email;

    $subject = "You have a potential buyer for your photography equipment";

    $mailcontent = "Name of Potential Buyer: ".$buyer_name."\n".
    "Address of Potential Buyer: ".$buyer_email."\n".
    "Comments From Potential Buyer:\n".$buyer_message."\n";

    $headers .= "From: ".$buyer_mail. "\r\n";
    $headers .= "Reply-To: ".$buyer_email. "\r\n";
    $headers .= "Bcc: some e-mail address" . "\r\n";

    All work fine except the $to, mail is not delivered to the declared email address, $subject, $mailcontent and $headers are all delivered correctly to the Bcc: email address but not the $to email address.

    No error message from PHP, mail is just not delivered to the $to email address.

    pcvver

    please help
  2. #2
  3. Did you steal it?
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    13,997
    Rep Power
    9397
    If you need anything beyond a very simple email, like including headers, then don't do it yourself and use something like PHPMailer instead. It's a project dedicated to sending emails in PHP and so they do it very well. Plus it's easier to use.

    With $to=$seller_email (the other form is wrong) your email might not be arriving due to things like spam detection. Emails sent with PHPMailer will be less likely to be blocked.
    Last edited by requinix; December 18th, 2013 at 02:36 PM.
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2013
    Posts
    189
    Rep Power
    0
    This is what you code has to look like:

    PHP Code:
    $to "user@domain.com";  
    //
    //or some var containing something exactly like that
    //
    //
    $subject "You have a potential buyer for your photography equipment";   
    //
    // perfect
    //
    //
    $mailcontent "Name of Potential buyer: $buyer_name\n
     Address of Potential Buyer: 
    $buyer_email\nComments From Potential Buyer:\n$buyer_message\n";
    //
    // don't need all those concatenations.
    //
    $headers "From: $buyer_mail\r\n";
    $headers .= "Reply-To: $buyer_email\r\n";
    $headers .= "Bcc: some e-mail address\r\n";
    //
    //
    if (mail ($to,$subject,$mailcontent,$headers))
       echo 
    "Mail has been sent";
    else
       echo 
    "Mail send failed"
    This code works for me in several (low-volume) scripts.
  6. #4
  7. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2013
    Posts
    5
    Rep Power
    0

    Mail () not working


    Dear Jimmy,

    I have used the code in various projects with great success, the difference with this one is that I extract the $to email address from a db, so the e-mail address is different depending on the row being extracted from the db. if I declare the $to = "valid_email address", then it works perfectly.
    It is when I declare the $to = some_variable; that it fails to work, I even tried: $to=$row["email"]; when extracting it from the db, when I print/echo like this: echo $to; the correct email address is reflected but it fails to send the mail with mail().

    Thanks for your code, it is much cleaner and I will be using it in future.
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2013
    Posts
    189
    Rep Power
    0
    So - the obvious conclusion is that your stored data is that old devil - garbage! Why? Have you made any validation on the email address or attempted to verify it with the user before storing it?
  10. #6
  11. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2013
    Posts
    5
    Rep Power
    0

    mail ()


    Hi Jimmy,

    All submitted info is validated and also protected with captcha, email is validated as follows:

    if (filter_var($email, FILTER_VALIDATE_EMAIL)===false)
    {
    $error.= "Invalid e-mail address format!";
    }

    I also confirmed that the e-mail that I am using to do the testing is valid and correct, I actually use my own e-mail for testing purposes.

    pcvver
  12. #7
  13. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2013
    Posts
    189
    Rep Power
    0
    Since you feel that the value pulled from the db is the problem, are you echoing it as part of your debugging?
  14. #8
  15. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2013
    Posts
    5
    Rep Power
    0

    mail()


    Originally Posted by jimmyg999
    Since you feel that the value pulled from the db is the problem, are you echoing it as part of your debugging?
    I have and it echoes/print correctly
  16. #9
  17. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    Hi,

    I'm actually surprised that your code does anything given that you happily dump all kinds of raw variables into the email headers without any escaping whatsoever. This is also the perfect oppurtinity for an attack.

    Do yourself a favor and stop fumbling with low-level SMTP. There are many, many excellent mailer libraries like the already mentioned PHPMailer. Use them.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  18. #10
  19. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2013
    Posts
    5
    Rep Power
    0

    Mail() Function problem resolved


    Thanks to all the replies, I actually managed to figure it out, for some reason PHP does not like to take an e-mail address from a database and then store it in a variable and then use it in the mail () function. So I extracted it from the db and submitted it in a hidden field with the rest of the info via the form, it now works 100%.

    Looked at phpmailer and will use in future projects.

    Jacques, can you please elaborate on your comment so that I can rectify the problem, not too sure exactly what you mean by: "given that you happily dump all kinds of raw variables into the email headers without any escaping whatsoever. This is also the perfect oppurtinity for an attack." Please explain how to prevent attacks
  20. #11
  21. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    Originally Posted by pcvver
    Please explain how to prevent attacks
    By using the already mentioned PHPMailer.

    You can't just take a variable and freely insert it into the e-mail headers or the body. If the variable is defined by the user, this allows them to inject their own headers and manipulate the e-mail body. For example, they could attach a malicious file and send it to a victim through an extra To header. And you will be the one who has sent the e-mail.

    Never, ever insert raw variables into a critical context. This leads to code injection attacks, which can have terrible consequences. Depending on where exactly the attack happens, an attacker might take over your whole server.

    Read The 6 worst sins of security. They don't cover e-mail injections explicitly (maybe I should add that), but you should get a basic understanding of why you need to properly escape variables.

    Even if there's no concrete danger, this programming style is extremely risky, error-prone and just bad. I know that's how many "tutorials" teach PHP. But that doesn't make it right. It shows that a lot of the "tutorials" out there are crap -- starting with the use of mail().
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".

IMN logo majestic logo threadwatch logo seochat tools logo