메일
If the Cc or Bcc lines appear in the message body, make sure you're separating header lines with a new line (\n) rather than a carriage return-new line (\r\n). That should come at the very end of the headers.
(PHP 4, PHP 5)
mail — 메일을 보냅니다.
설명
bool mail
( string $to
, string $subject
, string $message
[, string $additional_headers
[, string $additional_parameters
]] )
mail()은 자동적으로 message 에 지정한 메세지를 to 에 지정한 수신자에게 메일을 보냅니다. 복수 수신자는 to 에 콤마로 구분한 각각의 어드레스를 지정할 수 있습니다. 부가 요소와 특별한 형태의 내용을 가진 Email을 이 함수를 이용하여 보낼 수 있습니다. MIME-encoding을 이용하여 이루어집니다 - 자세한 정보는 » 젠드 아티클이나 » PEAR Mime 클래스를 참고하십시오.
다음의 RFC도 유용합니다: » RFC 1896, » RFC 2045, » RFC 2046, » RFC 2047, » RFC 2048, » RFC 2049.
mail()은 메일 전달이 성공하면 TRUE를, 그 외의 경우에는 FALSE를 반환합니다.
Warning
mail()의 윈도우즈판은 유닉스판과 많은 점에서 차이가 있습니다. 첫번째, 메세지를 작성할 때 로컬 바이너리를 사용하지 않고, 단지 직접 소켓 연결을 합니다. MTA가 네트워크 소켓을 리스닝하고 있을 필요가 있습니다. (localhost나 원격 머신 어디든지 가능합니다) 둘째, From:, Cc:, Bcc:, Date: 등의 사용자 헤더는 MTA에서 해석하지 않고, PHP에서 처리를 합니다. PHP < 4.3은 Cc: 헤더 요소(대소문자 구별)만을 지원합니다. PHP >= 4.3은 위의 모든 헤더 요소를 지원하고, 대소문자를 구별하지 않습니다.
Example#1 메일 보내기.
<?php
mail("joecool@example.com", "My Subject", "Line 1\nLine 2\nLine 3");
?>
네번째 문자열 인자가 주어지면, 문자열은 헤더의 마지막에 추가됩니다. 일반적으로 기타 헤더를 추가할 때 사용합니다. 복수의 헤더는 캐리지리턴과 뉴라인으로 구별합니다.
Note: 헤더 구분에는 \r\n을 사용해야만 합니다. 일부 유닉스 메일 전송 에이전트는 하나의 뉴라인(\n)과는 작동하지 않습니다.
Example#2 추가 헤더를 지정해서 메일 보내기.
<?php
mail("nobody@example.com", "the subject", $message,
"From: webmaster@{$_SERVER['SERVER_NAME']}\r\n" .
"Reply-To: webmaster@{$_SERVER['SERVER_NAME']}\r\n" .
"X-Mailer: PHP/" . phpversion());
?>
additional_parameters 인자는 메일을 보낼 때 사용하는 sendmail_path 설정에 있는 프로그램에 추가 인자를 넘깁니다. 예를 들어, 센드메일을 사용할때 인증 전송자 주소를 지정하는 -f 센드메일 옵션을 사용하게 할 수 있습니다. 이 방법으로 인증 전송자를 지정했을 때 'X-warning'헤더가 메세지에 추가되는 것을 막기 위해서는 센드메일 설정에 웹 서버를 실행하는 유저를 추가해야 합니다.
Example#3 추가 헤더와 추가 명령줄 인자를 지정하여 메일 보내기.
<?php
mail("nobody@example.com", "the subject", $message,
"From: webmaster@{$_SERVER['SERVER_NAME']}", "-fwebmaster@{$_SERVER['SERVER_NAME']}");
?>
Note: 다섯번째 인자는 PHP 4.0.5에서 추가되었고, PHP 4.2.3부터 이 인자는 안전 모드에서는 사용할 수 없습니다. 이를 사용하려고 하면 mail() 함수는 경고 메세지를 출력하고 FALSE를 반환합니다.
복잡한 email 메세지를 작성하기 위해 간단한 문자열 작성 테크닉을 사용할 수 있습니다.
Example#4 복잡한 메일 보내기.
<?php
/* recipients */
$to = "mary@example.com" . ", " ; // 콤마인 것에 주의.
$to .= "kelly@example.com";
/* subject */
$subject = "Birthday Reminders for August";
/* message */
$message = '
<html>
<head>
<title>Birthday Reminders for August</title>
</head>
<body>
<p>Here are the birthdays upcoming in August!</p>
<table>
<tr>
<th>Person</th><th>Day</th><th>Month</th><th>Year</th>
</tr>
<tr>
<td>Joe</td><td>3rd</td><td>August</td><td>1970</td>
</tr>
<tr>
<td>Sally</td><td>17th</td><td>August</td><td>1973</td>
</tr>
</table>
</body>
</html>
';
/* HTML 메일을 보내려면, Content-type 헤더를 설정해야 합니다. */
$headers = "MIME-Version: 1.0\r\n";
$headers .= "Content-type: text/html; charset=iso-8859-1\r\n";
/* 추가 헤더 */
$headers .= "To: Mary <mary@example.com>, Kelly <kelly@example.com>\r\n";
$headers .= "From: Birthday Reminder <birthday@example.com>\r\n";
$headers .= "Cc: birthdayarchive@example.com\r\n";
$headers .= "Bcc: birthdaycheck@example.com\r\n";
/* 그리고 메일을 보냅니다. */
mail($to, $subject, $message, $headers);
?>
Note: to 나 subject 에 어떠한 뉴라인 문자도 존재해서는 안됩니다. 그렇지 않으면, 메일은 정상적으로 보내지지 않을 수 있습니다.
Note: to 인자는 "Something <someone@example.com>" 형태로 주어져서는 안됩니다. mail 명령은 MTA와 통신할 때 이를 정상적으로 처리하지 못할 수 있습니다. (특히 윈도우즈에서)
참고: imap_mail().
add a note
User Contributed Notes
bob
15-Jul-2008 01:51
15-Jul-2008 01:51
akam
28-May-2008 06:55
28-May-2008 06:55
There differenece in body, headers of email (with attachment, without attachment), see this complete example below:
work great for me (LINUX , WIN) and (Yahoo Mail, Hotmail, Gmail, ...)
<?php
$to = $_POST['to'];
$email = $_POST['email'];
$name = $_POST['name'];
$subject = $_POST['subject'];
$comment = $_POST['message'];
$To = strip_tags($to);
$TextMessage =strip_tags(nl2br($comment),"<br>");
$HTMLMessage =nl2br($comment);
$FromName =strip_tags($name);
$FromEmail =strip_tags($email);
$Subject =strip_tags($subject);
$boundary1 =rand(0,9)."-"
.rand(10000000000,9999999999)."-"
.rand(10000000000,9999999999)."=:"
.rand(10000,99999);
$boundary2 =rand(0,9)."-".rand(10000000000,9999999999)."-"
.rand(10000000000,9999999999)."=:"
.rand(10000,99999);
for($i=0; $i < count($_FILES['youfile']['name']); $i++){
if(is_uploaded_file($_FILES['fileatt']['tmp_name'][$i]) &&
!empty($_FILES['fileatt']['size'][$i]) &&
!empty($_FILES['fileatt']['name'][$i])){
$attach ='yes';
$end ='';
$handle =fopen($_FILES['fileatt']['tmp_name'][$i], 'rb');
$f_contents =fread($handle, $_FILES['fileatt']['size'][$i]);
$attachment[]=chunk_split(base64_encode($f_contents));
fclose($handle);
$ftype[] =$_FILES['fileatt']['type'][$i];
$fname[] =$_FILES['fileatt']['name'][$i];
}
}
/***************************************************************
Creating Email: Headers, BODY
1- HTML Email WIthout Attachment!! <<-------- H T M L ---------
***************************************************************/
#---->Headers Part
$Headers =<<<AKAM
From: $FromName <$FromEmail>
Reply-To: $FromEmail
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="$boundary1"
AKAM;
#---->BODY Part
$Body =<<<AKAM
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="$boundary1"
This is a multi-part message in MIME format.
--$boundary1
Content-Type: text/plain;
charset="windows-1256"
Content-Transfer-Encoding: quoted-printable
$TextMessage
--$boundary1
Content-Type: text/html;
charset="windows-1256"
Content-Transfer-Encoding: quoted-printable
$HTMLMessage
--$boundary1--
AKAM;
/***************************************************************
2- HTML Email WIth Multiple Attachment <<----- Attachment ------
***************************************************************/
if($attach=='yes') {
$attachments='';
$Headers =<<<AKAM
From: $FromName <$FromEmail>
Reply-To: $FromEmail
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="$boundary1"
AKAM;
for($j=0;$j<count($ftype); $j++){
$attachments.=<<<ATTA
--$boundary1
Content-Type: $ftype[$j];
name="$fname[$i]"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="$fname[$j]"
$attachment[$j]
ATTA;
}
$Body =<<<AKAM
This is a multi-part message in MIME format.
--$boundary1
Content-Type: multipart/alternative;
boundary="$boundary2"
--$boundary2
Content-Type: text/plain;
charset="windows-1256"
Content-Transfer-Encoding: quoted-printable
$TextMessage
--$boundary2
Content-Type: text/html;
charset="windows-1256"
Content-Transfer-Encoding: quoted-printable
$HTMLMessage
--$boundary2--
$attachments
--$boundary1--
AKAM;
}
/***************************************************************
Sending Email
***************************************************************/
$ok=mail($To, $Subject, $Body, $Headers);
echo $ok?"<h1> Mail Sent</h1>":"<h1> Mail not SEND</h1>";
?>
fogidas at yahoo dot com
14-May-2008 04:18
14-May-2008 04:18
I think gmail works fine without adding '\n\n' , what doesn't seem to work is the Reply To header. Has anyone paid attention if you try to reply the mail it takes "From " email and not Reply to.
jyotsnachannagiri at gmail dot com
06-May-2008 01:09
06-May-2008 01:09
If you are sending an email to Gmail account you need to add two "\n\n" at the end of headers (Don't use single "\n"). If you use single "\n" all the headers will be displayed in the message when received person is viewing the message.
Example:
$headers = "MIME-Version: 1.0 "."\n";
$headers .= "Content-type: text/html; charset=iso-8859-1 "."\n";
..........
.......
$headers .= "......"."\n\n";
ben at ben-griffiths dot com
27-Mar-2008 02:45
27-Mar-2008 02:45
As [apdhanushka at yahoo dot com] stated, you could use PHPMailer to get around being placed in the Spam folder, however I would also reccomend Swiftmailer:
http://www.swiftmailer.org/
apdhanushka at yahoo dot com
30-Jan-2008 04:21
30-Jan-2008 04:21
Are you getting spammed while sendig emails using php mail() function to yahoo or hotmail?
It is a common problem for all using php mail function. To solve this there
are so many answers I have seen in the internet and they do not hit problem
correctly.
Actually the problem here is if we send mails using php mail function we do
not have a signature and other mailing systems thinks that we are spamers.
So the solution is using a free remote smtp host like gmail to send our mails.
It is not hard because we have a free php smtp project called PHPMailer. You
can download it from http://sourceforge.net/project/showfiles.php?group_id=26031.
You do not need to install it on your server and you can upload it to the server with your code.
It is very easy to understand how it is used to send mails using examples
zipped with PHPMailer. The following code is to send emails using gmail and
to do that you have to have a gmail mail account. Which can easily be created
by visiting http://gmail.com. Your mails will
send using that mail account and they will never become spams...
You can follow the following link to get the code to send emails using gmail's free smtp service.
http://bestdeveloper.blogspot.com/
apdhanushka at yahoo dot com
30-Jan-2008 12:05
30-Jan-2008 12:05
It is a common problem for all using php mail function. To solve this there
are so many answers I have seen in the internet and they do not hit problem
correctly.
Actually the problem here is if we send mails using php mail function we do
not have a signature and other mailing systems thinks that we are spamers.
So the solution is using a free remote smtp host like gmail to send our mails.
It is not hard because we have a free php smtp project called PHPMailer. You can download it from http://sourceforge.net/project/showfiles.php?group_id=26031 .
You do not need to install it on your server.
It is very easy to understand how it is used to send mails using examples
zipped with PHPMailer. The following code is to send emails using gmail and
to do that you have to have a gmail mail account. Which can easily be created
by visiting http://gmail.com. Your mails will
send using that mail account and they will never become spams...
To see the complete code for sending emails use following link
http://bestdeveloper.blogspot.com
jano ATSOMERANDOMTEXTjanogarcia es
28-Jan-2008 02:31
28-Jan-2008 02:31
This is a simple and quick (dirty?) fix for encoding long UTF-8 email subjects.
<?php
$subject= mb_encode_mimeheader($subject,"UTF-8", "B", "\n");
?>
Changing the $transfer_encoding parameter* from B (Base64) to Q (Quoted-Printable) seems to work too.
*See the mb_encode_mimeheader documentation here http://php.net/manual/en/function.mb-encode-mimeheader.php
This one is based on the previously posted solution by J.Halmu http://php.net/manual/en/function.mail.php#75886 , added the two last parameters to prevent long subjects from breaking the email. It worked flawlessly on a RHEL environmet. No further tests, sorry.
Tomix
17-Jan-2008 07:53
17-Jan-2008 07:53
send e-mail in utf-8
there is already a solution from omgs. but with a longer subject line there could be problem (splitting the subject line in a encoded character).
here my solution:
----
// hmm no better solution?
function imap8bit(&$item, $key) {
$item = imap_8bit($item);
}
function email($e_mail, $subject, $message, $headers)
{
// add headers for utf-8 message
$headers .= "\r\n";
$headers .= "MIME-Version: 1.0\r\n";
$headers .= "Content-type: text/plain; charset=utf-8\r\n";
$headers .= "Content-Transfer-Encoding: quoted-printable\r\n";
// encode subject
//=?UTF-8?Q?encoded_text?=
// work a round: for subject with wordwrap
// not fixed, no possibility to have one in a single char
$subject = wordwrap($subject, 25, "\n", FALSE);
$subject = explode("\n", $subject);
array_walk($subject, imap8bit);
$subject = implode("\r\n ", $subject);
$subject = "=?UTF-8?Q?".$subject."?=";
// encode e-mail message
$message = imap_8bit($message);
return(mail("$e_mail", "$subject", "$message", "$headers"));
}
I.Ruau
02-Dec-2007 06:23
02-Dec-2007 06:23
I recently searched for a decent regex to *correctly* validate e-mail addresses according to RFC-2822.
Most regexes I found on the web (including in the comments here) are way too strict.
Then I stumbled upon this compliant parser:
http://code.iamcal.com/php/rfc822/?C=D;O=A
FWIW here is the complete, unrolled regex... which is quite edifying! ;-)
http://code.iamcal.com/php/rfc822/full_regexp.txt
Hope this helps.
hn at nesland dot net
02-Nov-2007 05:37
02-Nov-2007 05:37
Tired of idiots and imbeciles who creates unsecure php-code and lets spammers abuse mail()? Try this dirty trick:
With auto_prepend, prepend this file:
<?php
// You need to install pecl-module, runkit.
dl("runkit.so");
// We could rename the function, but that currently makes my apache segfault, but this works :-P
runkit_function_copy ( "mail","intmail" );
runkit_function_remove( "mail" );
function mail( $to, $subject, $message, $additional_headers = null, $additional_parameters = null ) {
$___domain = $_SERVER['SERVER_NAME'];
$fp = fopen("/tmp/my_super_mail_logg", "a");
fwrite( $fp, date("d.m.y H:i:s") . " " . $___domain . ": $to / $subject\n");
fclose( $fp );
return intmail( $to, $subject, $message, $additional_headers, $additional_parameters );
}
?>
You probably shouldn't log to /tmp, or any other place as the webserver-user, see syslog-functions ;)
And of course you can manipulate the different parameters, like adding custom headers to each email (For instance; "X-From-Web: {$_SERVER['SERVER_NAME']}")..
Ben
03-Oct-2007 11:14
03-Oct-2007 11:14
There was a comment that
mail("User Name <username@email.com>","Subject Here",$msg,"From: us@mysite.com");
does not work. I've always used that and never had any issues - from Linux servers. I don't see how this could be different in IE vs Firefox; I've always gotten the same result in both. Just tried it on a Windows server and got this as a bounce back:
<User Name <username@email.com>:
x.x.x.x does not like recipient.
Remote host said: 550 Requested action not taken: 550 No such recipient
Giving up on x.x.x.x.
(Details changed to protect the innocent/guilty (for using a Windows server))
Took me a while to find the bounce until I used ini_set('sendmail_from', 'my@account');
So it is probably trying to deliver to "User Name <username" instead of simply "username".
largo at email dot pcleak dot com
03-Oct-2007 02:01
03-Oct-2007 02:01
hello ok i have this email form right and it is
<?php
if (isset($_REQUEST['email']))
//if "email" is filled out, send email
{
//send email
$email = $_REQUEST['email'] ;
$subject = $_REQUEST['subject'] ;
$message = $_REQUEST['message'] ;
mail( "someone@example.com", "Subject: $subject",
$message, "From: $email" );
echo "Thank you for using our mail form";
}
else
//if "email" is not filled out, display the form
{
echo "<form method='post' action='mailform.php'>
Email: <input name='email' type='text' /><br />
Subject: <input name='subject' type='text' /><br />
Message:<br />
<textarea name='message' rows='15' cols='40'>
</textarea><br />
<input type='submit' />
</form>";
}
?>
i like it but i want to change like but i want it to ask for sending it "TOO" and it automatically post the sender
phpcoder at cyberpimp dot ig3 dot net
27-Sep-2007 08:51
27-Sep-2007 08:51
In addition to the $to parameter restrictions on Windows (ie. address can not be in "name <user@example.com>" format), the same restrictions apply to the parsed Cc and Bcc headers of the $additional_headers parameter.
However, you can include a To header in $additional_parameters which lists the addresses in any RFC-2822 format. (For display purposes only. You still need to list the bare addresses in the $to parameter.)
omgs
30-Aug-2007 01:57
30-Aug-2007 01:57
I haven't seen in this page a reference about how to properly handle subject encoding when using non-ascii characters. I've found that info at http://www.johanvanmol.org/content/view/34/37/1/3/, which I paste:
"According to RFC 2822, mail header fields, including the subject, MUST be composed of printable US-ASCII characters (i.e., characters that have values between 33 and 126, inclusive). So if you want a subject with accents, you must encode it from your original character set to a US-ASCII character set. There are 2 of ways to do this: quoted-printable or base64.
[...]
Now we have an encoded subject, but our mail reader won't know that. So we need to tell it by formatting our subject as follows: "=?" charset "?" encoding "?" encoded-text "?=" , where charset is the original character set and encoding is either "Q" for Quoted-Printable or "B" for Base64.
E.g The subject containing the Quoted-Printable ISO-8859-1 string "Voilà une message", is written as:
Subject: =?ISO-8859-1?Q?Voil=E0_une_message?=
The Base64 version of the ISO-8859-1 string is:
Subject: =?ISO-8859-1?B?Vm9pbOAgdW5lIG1lc3NhZ2U=?=
The Quoted-Printable version of the UTF-8 string is:
Subject: =?UTF-8?Q?Voil=C3=A0_une_message?=
The Base64 version of the UTF-8 string is:
Subject: =?UTF-8?B?Vm9pbMOgIHVuZSBtZXNzYWdl?=
"
"Raw" non-encoded subjects can work and modern mail clients handle it properly, but I found that at least using utf-8 as encoding, the spam analizers complain stating "BAD HEADER Non-encoded 8-bit data". To prevent this, and taking the info above, I decided to use base64, which at least seems to have specific functions (and because it works, of course). So, one could use the following code:
<?php
...
$charset='UTF-8';
$subject='Subject with extra chars: áéíóú';
$encoded_subject="=?$charset?B?".base64_encode($subject)."?=\n";
$to=mail@foo.com;
$body='This is the body';
$headers="From: ".$from."\n"
. "Content-Type: text/plain; charset=$charset; format=flowed\n"
. "MIME-Version: 1.0\n"
. "Content-Transfer-Encoding: 8bit\n"
. "X-Mailer: PHP\n";
mail($to,$encoded_subject, $body,$headers);
?>
Of course, this can be "enhanced" by encoding only if there are non-ASCII characters, but I don't think I need it. Maybe the CPU work, used time and results don't deserve it.
Gianluigi_Zanettini-MegaLab.it
09-Aug-2007 11:57
09-Aug-2007 11:57
Please note that using an address in this format "Zane, CEO - MegaLab.it" <myaddrr@mydomain> (" are needed due to comma) works as expected under *nix, but WON'T WORK under Windows.
This is an example
<?php
mail("\"Zane, CEO - MegaLab.it\" <myaddrr@mydomain>", "prova da test_zane", "dai funziona...");
?>
It works under *unix, but it doensn't under Win: different error are reported:
Warning: mail() [function.mail]: SMTP server response: 553 5.0.0 <"Zane>... Unbalanced '"'
Warning: mail() [function.mail]: SMTP server response: 501 5.5.4 Invalid Address
pavolzetor at gmail dot com
01-Aug-2007 08:47
01-Aug-2007 08:47
if you send mail to gmail.com you don't use "\r\n" and you use only "\n" in headers
bsaul at inwind dot it
23-Jun-2007 02:19
23-Jun-2007 02:19
First excuse me for bad english. I'm working on a function that send html or text or both, e-mail message. I try all the example but no one working on my system (windows XP with PostCast SMTP server). Finally i try this and work. I hope your find useful:
function mailTo ($from, $to, $oggetto, $contenuto, $type = "both", $reply = true) {
// If $contenuto == file reading
$messaggio = @file_get_contents( $content, 1);
if ($messaggio) { $contenuto = $messaggio; }
$messaggio = '';
// Standar Header
$crlf = chr(10) . chr(13);
$intestazione = "To: {$to}" . $crlf;
$intestazione .= "From: {$from}" . $crlf;
$intestazione .= "Return-Path: " . (($reply)? $from : substr_replace($from, "noreply", 0, strpos($from, '@'))) . $crlf;
$intestazione .= 'Reply-To: ' .(($reply)? $from : substr_replace($from, "noreply", 0, strpos($from, '@'))) . $crlf;
$intestazione .= 'X-Mailer: PHP/' . phpversion() . $crlf;
// MIME boundary
$separatore = 'PHP' . md5(uniqid(time()));
// MIME Header
$intestazione .= 'MIME-Version: 1.0' . $crlf;
switch ($type){
case 'html' :
// Header for client non MIME compatible
$intestazione .= 'Content-Type: text/html; charset=ISO-8859-15' . $crlf;
$intestazione .= 'Content-Transfer-Encoding: 7bit' . $crlf;
$messaggio .= "\n{$contenuto}\n";
break;
case 'both' :
$intestazione .= "Content-Type: multipart/alternative;\n\tboundary=\"" . $separatore . '"' . $crlf;
// Create message for no mime client
$messaggio .= "For English People: This is a multi-part message in MIME format.\nIf you are reading this, consider upgrading your e-mail client to a MIME-compatible client.\n";
$messaggio .= "For Italian People: Questo è un messaggio MIME.\nSe si stà leggendo questa nota, consigliamo l\'aggiornamento del programma di posta elettronica con uno compatibile MIME";
$messaggio .= "\n--{$separatore}\n";
$messaggio .= "Content-Type: text/plain; charset=ISO-8859-15\n";
$messaggio .= "Content-Transfer-Encoding: 7bit\n\n";
case 'text' :
$messaggio .= strip_tags($contenuto);
if ($type == 'both') {
$messaggio .= "\n--{$separatore}\n";;
$messaggio .= "Content-Type: text/html; charset=ISO-8859-15\n";
$messaggio .= "Content-Transfer-Encoding: 7bit\n";
$messaggio .= "\n{$contenuto}";
$messaggio .= "\n--{$separatore}\n";
}
}
// Send MAIL
return mail($to, $oggetto, $messaggio, $intestazione);
}
J.Halmu
20-Jun-2007 04:10
20-Jun-2007 04:10
I use text/plain charaset=iso-8859-1 and get bad headers complain from amavis. This helped me:
[code]
$subject = mb_encode_mimeheader('ääööö test test öäöäöä','UTF-8');
[/code]
php-version 5.2.2
Alex Jaspersen
30-May-2007 11:03
30-May-2007 11:03
For qmail users, I have written a function that talks directly to qmail-queue, rather than going through the sendmail wrapper used by mail(). Thus it allows more direct control over the message (for example, you can adapt the function to display "undisclosed recipients" in to the To: header). It also performs careful validation of the e-mail addresses passed to it, making it more difficult for spammers to exploit your scripts.
Please note that this function differs from the mail() function in that the from address must be passed as a _separate_ argument. It is automatically put into the message headers and _does not_ need to be included in $additional_headers.
$to can either be an array or a single address contained in a string.
$message should not contain any carriage return characters - only linefeeds.
No validation is performed on $additional_headers. This is mostly unnecessary because qmail will ignore any additional To: headers injected by a malicious user. However if you have some strange mail setup it might be a problem.
The function returns false if the message fails validation or is rejected by qmail-queue, and returns true on success.
<?php
function qmail_queue($to, $from, $subject, $message, $additional_headers = "")
{
// qmail-queue location and hostname used for Message-Id
$cmd = "/var/qmail/bin/qmail-queue";
$hostname = trim(file_get_contents("/var/qmail/control/me"));
// convert $to into an array
if(is_scalar($to))
$to = array($to);
// BEGIN VALIDATION
// e-mail address validation
$e = "/^[-+\\.0-9=a-z_]+@([-0-9a-z]+\\.)+([0-9a-z]){2,4}$/i";
// from address
if(!preg_match($e, $from)) return false;
// to address(es)
foreach($to as $rcpt)
{
if(!preg_match($e, $rcpt)) return false;
}
// subject validation (only printable 7-bit ascii characters allowed)
// needs to be adapted to allow for foreign languages with 8-bit characters
if(!preg_match("/^[\\040-\\176]+$/", $subject)) return false;
// END VALIDATION
// open qmail-queue process
$dspec = array
(
array("pipe", "r"), // message descriptor
array("pipe", "r") // envelope descriptor
);
$pipes = array();
$proc = proc_open($cmd, $dspec, $pipes);
if(!is_resource($proc)) return false;
// write additional headers
if(!empty($additional_headers))
{
fwrite($pipes[0], $additional_headers . "\n");
}
// write to/from/subject/date/message-ID headers
fwrite($pipes[0], "To: " . $to[0]); // first recipient
for($i = 1; $i < sizeof($to); $i++) // additional recipients
{
fwrite($pipes[0], ", " . $to[$i]);
}
fwrite($pipes[0], "\nSubject: " . $subject . "\n");
fwrite($pipes[0], "From: " . $from . "\n");
fwrite($pipes[0], "Message-Id: <" . md5(uniqid(microtime())) . "@" . $hostname . ">\n");
fwrite($pipes[0], "Date: " . date("r") . "\n\n");
fwrite($pipes[0], $message);
fwrite($pipes[0], "\n");
fclose($pipes[0]);
// write from address and recipients
fwrite($pipes[1], "F" . $from . "\0");
foreach($to as $rcpt)
{
fwrite($pipes[1], "T" . $rcpt . "\0");
}
fwrite($pipes[1], "\0");
fclose($pipes[1]);
// return true on success.
return proc_close($proc) == 0;
}
?>
James Butler
24-May-2007 12:15
24-May-2007 12:15
Re: "Second, the custom headers like From:, Cc:, Bcc: and Date: are not interpreted by the MTA in the first place, but are parsed by PHP.
As such, the to parameter should not be an address in the form of "Something <someone@example.com>". The mail command may not parse this properly while talking with the MTA."
SERVER:
PHP 5.0.4
Fedora Core 4
Apache 2.0
Sendmail 8.13.7
SMTP: localhost
CLIENT:
Windows 98SE
Mozilla Firefox 2.0.0.3
Microsoft Internet Explorer 6.0.2800.1106
COMMAND:
mail("User Name <username@email.com>","Subject Here",$msg,"From: us@mysite.com");
Using Firefox, no problems with the above command.
Using MSIE, won't send mail "to" address formatted as above.
COMMAND 2:
mail("username@email.com","Subject Here",$msg,"From: us@mysite.com");
Works fine from both clients.
I mention this because it appears there is some interaction between the client and MTA that is unaccounted for in the above quote from this doc page.
junk at hostelz dot com
21-Mar-2007 01:56
21-Mar-2007 01:56
Unless I'm confused, I suspect that in the code from "rsjaffe at gmail dot com" above, "\\r" and "\\n" should actually be "\r" and "\n".
Josh
09-Mar-2007 10:05
09-Mar-2007 10:05
While trying to send attachments I ran into the problem of having the beginning part of my encoded data being cut off.
A fact that I didn't see mentioned anywhere explicitly (except maybe in the RFC, which admittedly I didn't read fully) was that two newlines are required before you start the encoded data:
Content-Transfer-Encoding: base64\n
Content-Type: application/zip; name="test_file.zip"\n
\n //<--- if this newline isn't here your data will get cut off
DATA GOES HERE
hans111 at yahoo dot com
01-Mar-2007 08:54
01-Mar-2007 08:54
I had a lot of trouble trying to send multipart messages to gmail accounts until I discovered gmail does not like carriage returns, even under unix I have to use only new lines (\n) and forget about the (\r) . Other email clients such as eudora, outlook, hotmail or yahoo seem not to have issues about the "missing" \r . Hope it helps.
bigtree at dontspam dot 29a dot nl
28-Feb-2007 04:46
28-Feb-2007 04:46
Since lines in $additional_headers must be separated by \n on Unix and \r\n on Windows, it might be useful to use the PHP_EOL constant which contains the correct value on either platform.
Note that this variable was introduced in PHP 5.0.2 so to write portable code that also works in PHP versions before that, use the following code to make sure it exists:
<?php
if (!defined('PHP_EOL')) define ('PHP_EOL', strtoupper(substr(PHP_OS,0,3) == 'WIN') ? "\r\n" : "\n");
?>
andy at andybev dot com
19-Feb-2007 04:56
19-Feb-2007 04:56
I'm copying Ben Cooke's note from the main mail page into here because I didn't find it initially. The issue described below caused me a lot of problems because of Postfix converting a single \r\n into double new lines, resulting in corrupted mail.
=====================================================
Note that there is a big difference between the behavior of this function on Windows systems vs. UNIX systems. On Windows it delivers directly to an SMTP server, while on a UNIX system it uses a local command to hand off to the system's own MTA.
The upshot of all this is that on a Windows system your message and headers must use the standard line endings \r\n as prescribed by the email specs. On a UNIX system the MTA's "sendmail" interface assumes that recieved data will use UNIX line endings and will turn any \n to \r\n, so you must supply only \n to mail() on a UNIX system to avoid the MTA hypercorrecting to \r\r\n.
If you use plain old \n on a Windows system, some MTAs will get a little upset. qmail in particular will refuse outright to accept any message that has a lonely \n without an accompanying \r.
admin at chatfamy dot com
30-Jan-2007 12:37
30-Jan-2007 12:37
One thing it can be difficult to control with this function is the envelope "from" address. The envelope "from" address is distinct from the address that appears in the "From:" header of the email. It is what sendmail uses in its "MAIL FROM/RCPT TO" exchange with the receiving mail server. It also typically shows up in the "Return-Path:" header, but this need not be the case. The whole reason it is called an "envelope" address is that appears _outside_ of the message header and body, in the raw SMTP exchange between mail servers.
The default envelope "from" address on unix depends on what sendmail implementation you are using. But typically it will be set to the username of the running process followed by "@" and the hostname of the machine. In a typical configuration this will look something like apache@box17.isp.net.
If your emails are being rejected by receiving mail servers, or if you need to change what address bounce emails are sent to, you can change the envelope "from" address to solve your problems.
To change the envelope "from" address on unix, you specify an "-r" option to your sendmail binary. You can do this globally in php.ini by adding the "-r" option to the "sendmail_path" command line. You can also do it programmatically from within PHP by passing "-r address@domain.com" as the "additional_parameters" argument to the mail() function (the 5th argument). If you specify an address both places, the sendmail binary will be called with two "-r" options, which may have undefined behavior depending on your sendmail implementation. With the Postfix MTA, later "-r" options silently override earlier options, making it possible to set a global default and still get sensible behavior when you try to override it locally.
On Windows, the the situation is a lot simpler. The envelope "from" address there is just the value of "sendmail_from" in the php.ini file. You can override it locally with ini_set().
tdaniel at univ dot haifa dot ac dot il
26-Oct-2006 04:17
26-Oct-2006 04:17
I had trouble getting multiple emails sent for Outlook accounts (a single PHP page performed 2 mail() calls).
The PHP mail() function works correctly, but the same mails that were recieved on a private POP3 server were randomly missing by our intranet Outlook exchange server.
If you have the same problem, try to verify that the "Message-ID: " is unique at the $headers string. i.e.
<?php
$headers = [...] .
"Message-ID: <". time() .rand(1,1000). "@".$_SERVER['SERVER_NAME'].">". "\r\n" [...];
?>
(rand() is used only for demonstration purposes. a better way is to use an index variable that increments (i++) after each mail)
I noticed that when multiple messeges were sent simultaneously, the message-id was the same (probably there was no miliseconds differential). My guess is that Outlook is collating messages with the same message-ID; a thing that causes only one email to pass to the Outlook inbox instead of a few.
i5513
27-Sep-2006 01:30
27-Sep-2006 01:30
[EDITOR's NOTE: Following based off of a note originally by marcelo dot maraboli at usm dot cl which has been removed.]
I had a trouble with marcelo' function, I had to add "$val == 63" condition into "if" sentence for '?' character
# From marcelo post:
function encode_iso88591($string)
{
$text = '=?iso-8859-1?q?';
for( $i = 0 ; $i < strlen($string) ; $i++ )
{
$val = ord($string[$i]);
if($val > 127 or $val == 63)
{
$val = dechex($val);
$text .= '='.$val;
}
else
{
$text .= $string[$i];
}
}
$text .= '?=';
return $text;
}
and later use:
// create email
$msg = wordwrap($msg, 70);
$to = "destination@company.com";
$subject = encode_iso88591("hoydía caminé !!");
$headers = "MIME-Versin: 1.0\r\n" .
"Content-type: text/plain; charset=ISO-8859-1; format=flowed\r\n" .
"Content-Transfer-Encoding: 8bit\r\n" .
"From: $from\r\n" .
"X-Mailer: PHP" . phpversion();
mail($to, $subject, $msg, $headers);
johniskew2
19-Sep-2006 09:28
19-Sep-2006 09:28
An important rule of thumb, because it seems few really follow it and it can alleviate so many headaches: When filtering your email headers for injection characters use a regular expression to judge whether the user's input is valid. For example to see if the user entered a valid e-mail address use something like [a-zA-Z0-9._%-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,4}. Dont try to filter out bad characters (like searching for LF or CR), because you will ALWAYS miss something. You can be sure your application is more secure going this route....provided the regular expression is valid! This same point goes for any sort of form input not just for sending out emails.
thomas at p-devion dot de
23-Aug-2006 10:46
23-Aug-2006 10:46
Change the function addattachment for multipartmail to auto detect the mime_content_type ...
function addattachment($file){
$fname = substr(strrchr($file, "/"), 1);
$data = file_get_contents($file);
$i = count($this->parts);
$content_id = "part$i." . sprintf("%09d", crc32($fname)) . strrchr($this->to_address, "@");
$this->parts[$i] = "Content-Type: ".mime_content_type($file)."; name=\"$fname\"\r\n" .
"Content-Transfer-Encoding: base64\r\n" .
"Content-ID: <$content_id>\r\n" .
"Content-Disposition: inline;\n" .
" filename=\"$fname\"\r\n" .
"\n" .
chunk_split( base64_encode($data), 68, "\n");
return $content_id;
}
panoramical at gmail dot com
27-Jul-2006 04:19
27-Jul-2006 04:19
Searched for ages on the internet trying to find something that parses EML files and then sends them...for all of you who want to send an EML files you first have to upload it, read it, then delete it. Here's my function...it's specialised for a single form where the user uploads the EML file.
<?php
if(isset($_POST['submit']))
{
// Reads in a file (eml) a user has inputted
function eml_read_in()
{
$file_ext = stristr($_FILES['upload']['name'], '.');
// If it is an eml file
if($file_ext == '.eml')
{
// Define vars
$dir = 'eml/';
$file = $dir.basename($_FILES['upload']['name']);
$carry = 'yes';
// Try and upload the file
if(move_uploaded_file($_FILES['upload']['tmp_name'], $file))
{
// Now attempt to read the file
if($eml_file = file($file))
{
// Create the array to store preliminary headers
$headers = array();
$body = '';
$ii = -1;
// For every line, carry out this loop
foreach($eml_file as $key => $value)
{
$pattern = '^<html>';
if(((eregi($pattern, $value)))||($carry == 'no'))
{
// Stop putting data into the $headers array
$carry = 'no';
$i++;
$body .= $value;
}
else
{
// Separate each one with a colon
if(($eml_file_expl = explode(':', $value))&&($carry == 'yes'))
{
// The row has been split in half at least...
if(isset($eml_file_expl[1]))
{
// Put it into the preliminary headers
$headers[$eml_file_expl[0]] = $eml_file_expl[1];
// There might be more semicolons in it...
for($i=2;$i<=$count;$i++)
{
// Add the other values to the header
$headers[$eml_file_expl[0]] .= ':'.$eml_file_expl[$i];
}
}
}
}
}
// Clear up the headers array
$eml_values = array();
$eml_values[to] = $headers[To];
$eml_values[from] = $headers[From];
$eml_values[subject] = $headers[Subject];
$eml_values['reply-to'] = $headers['Reply-To'];
$eml_values['content-type'] = $headers['Content-Type'];
$eml_values[body] = $body;
unlink($file);
return $eml_values;
}
}
else
{
return '<p>File not uploaded - there was an error</p>';
}
}
}
// Takes information automatically from the $_FILES array...
$eml_pattern = eml_read_in()
// Headers definable...through eml_read_in() again, but I'm guessing they'll be the same for each doc...
if(mail($eml_pattern[to], $eml_pattern[subject], $eml_pattern[content], $headers)) echo 'Mail Sent';
?>
24-Jul-2006 08:55
correction for class multipartmail
<?php
function addmessage($msg = "", $ctype = "text/plain"){
$this->parts[0] ....
?>
if you are adding attachment first and then addmessage you can easy overwrite added attachment - better use
<?php
function addmessage($msg = "", $ctype = "text/plain"){
$this->parts[count($this->parts)] ....
?>
sander at cartel dot nl
20-Jul-2006 03:26
20-Jul-2006 03:26
I found out that a ms server (ESMTP MAIL Service, Version: 5.0.2195.6713) also had the problem using CRLF in the headers:
If messages are not received, try using a LF (\n) only. Some poor quality Unix mail transfer agents replace LF by CRLF automatically (which leads to doubling CR if CRLF is used). This should be a last resort, as it does not comply with RFC 2822.
The suggested fix works.
Sander
rsjaffe at gmail dot com
21-May-2006 02:10
21-May-2006 02:10
Here's my way of detecting an attempt to hijack my mail form.
<?php #requires PHP 5 or greater
$request = array_map('trim',($_SERVER['REQUEST_METHOD'] == "POST") ? $_POST : $_GET) ;
//check for spam injection
$allfields = implode('',$request) ;
$nontext = $request ;
unset($nontext['message'] );
$nontextfields = implode ('',$nontext) ;
if ((strpos ($nontextfields,"\\r")!==false) ||
(strpos ($nontextfields,"\\n")!==false) ||
(stripos ($allfields,"Content-Transfer-Encoding")!==false) ||
(stripos ($allfields,"MIME-Version")!==false) ||
(stripos ($allfields,"Content-Type")!==false) ||
($request['checkfield']!=$check) ||
(empty($_SERVER['HTTP_USER_AGENT']))) die('Incorrect request') ; //stop spammers ?>
First, I put the data into an array $request, then set up two strings: $allfields, which is just all fields concatenated, then $nontext, which excludes those fields in which \r\n is allowed (e.g., the message body). Any form field in which \r\n is allowed should be unset in the $nontext array before the second implode function (my message field is called 'message', so I unset that). I also include a hidden field in the form with a preset value ('checkfield', $check), so I can see if something is trying to alter all fields.
This is a combination of a lot of things mentioned in the messages below...
steve at stevewinnington dot co dot uk
13-Mar-2006 08:24
13-Mar-2006 08:24
To all you guys out there having problems with mail scripts throwing back this (and you know your scripts are right!!)...
Warning: mail() [function.mail]: "sendmail_from" not set in php.ini or custom "From:" header missing in:
I had started seeing this after moving some scripts from 4.3 servers to 5.
a dirty get around is using
ini_set ("sendmail_from","a.body@acompany.com");
to force the From header.
Not ideal but it works.
;)
Nimlhug
11-Mar-2006 10:41
11-Mar-2006 10:41
As noted in other, well, notes; the "additional headers" parameter can be easily exploited, when doing things like:
<?php
mail( $_POST['to'], $_POST['subject'], $_POST['message'], 'Reply-to: '.$_POST['from']."\r\n" );
?>
An easy way of fixing this, is removing CRLFs from the header-strings, like so:
<?php
$_POST['from'] = str_replace( "\r\n", '', $_POST['from'] );
?>
This way, the extra data will be part of the previous header.
junaid at techni-serve dot com
07-Mar-2006 09:49
07-Mar-2006 09:49
Note: on class "multipartmail". Modify the function buildmessage with the following and it will work great.
function buildmessage(){
$this->message = "This is a multipart message in mime format.\n";
$cnt = count($this->parts);
for($i=0; $i<$cnt; $i++){
$this->message .= "--" . $this->boundary . "\n" .$this->parts[$i];
}
$this->message .= "--" . $this->boundary . "-- \n";
}
Thank for all the help.
Mailer
05-Mar-2006 05:13
05-Mar-2006 05:13
if you don't have access to the mail function or got a own smtp server you can use this class to send mails.
https://sourceforge.net/projects/p3mailer/
leonard_orb at future-data dot de
14-Feb-2006 01:51
14-Feb-2006 01:51
Warning: It should be stated clearly that "additional_headers" (the 4th parameter)
will not only allow you to add customized mail headers.
If there is an empty line in it the mail headers will be terminated and
the mail body will start exactly at this point.
mail ("foo@bar.example", "Test", "Hi dude",
"Bcc: someone_else@bar.example\r\n\r\nBuy V1a*ra now\r\n");
will send a mail to <foo@bar.example> and <someone_else@bar.example>
and advertise pills.
It will give spammers the chance to abuse your webserver as a spam server if you e.g.
happen not to check the values your form receives from the client and paste it
directly into "additional_headers".
linas.galvanauskas {eta} ntt . lt
13-Feb-2006 01:27
13-Feb-2006 01:27
Hi,
I'm using phpmailer from http://phpmailer.sourceforge.net/
and I have no problems.
Good luck
Hossein
25-Jan-2006 09:46
25-Jan-2006 09:46
Hello firends,
Good article about email:
http://www.sitepoint.com/article/advanced-email-php
With regards,Hossein
php at nioubi dot com
15-Nov-2005 03:43
15-Nov-2005 03:43
For me, WinXP, EasyPHP 1.8.0.1, sending a mail with the headers lines separated by : \r\n
$headers = "MIME-Version: 1.0\r\n";
$headers .= "Content-type: text/html; charset=iso-8859-1\r\n";
When I put the script online, and call it in order to send mail,
the html is displayed in the mail client (tested Outlook Express and Thunderbird) when you want to read the message sent by php. Some of the headers are considered like text (but it works when sent from local).
Solution : not use \r\n but only \n.
doom_blaster at hotmail dot com
12-Oct-2005 06:47
12-Oct-2005 06:47
OK you gave good exemples but none look good with Lotus Notes 6.X. I found some exelent code compatible with Notes and others, the detailed solution is here :http://archivist.incutio.com/viewlist/css-discuss/37970
I have cleaned Rowan's text, this is my working code :
$boundary = md5(uniqid(time()));
$headers = 'From: ' . $from . "\n";
$headers .= 'To: ' . $to . "\n";
$headers .= 'Return-Path: ' . $from . "\n";
$headers .= 'MIME-Version: 1.0' ."\n";
$headers .= 'Content-Type: multipart/alternative; boundary="' . $boundary . '"' . "\n\n";
$headers .= $body_simple . "\n";
$headers .= '--' . $boundary . "\n";
$headers .= 'Content-Type: text/plain; charset=ISO-8859-1' ."\n";
$headers .= 'Content-Transfer-Encoding: 8bit'. "\n\n";
$headers .= $body_plain . "\n";
$headers .= '--' . $boundary . "\n";
$headers .= 'Content-Type: text/HTML; charset=ISO-8859-1' ."\n";
$headers .= 'Content-Transfer-Encoding: 8bit'. "\n\n";
$headers .= $body_html . "\n";
$headers .= '--' . $boundary . "--\n";
$mailOk=mail('', $subject,'', $headers);
(Tested from Linux PHP4 to STMP Lotus Notes and Notes Client 6.5.1 & 5.? , it works with hotmail too, I didn't test other client)
by DitLePorc
GwarDrazul
15-Sep-2005 04:01
15-Sep-2005 04:01
The article mentioned below is quite good to understand the problem of header injection. However, it suggests the following as a solution: look for "\n" and "\r" inside your user input fields (especially in those used for the $header param) and, if found reject the mail.
Allthough this will probably work I still believe it is better to have a "white list" of allowed characters instead of a "black list" with forbidden characters.
Example:
If you want a user to enter his name, then allow characters only!
If you want a user to enter his email adress, then check if the entry is a valid email adress.
Doing so might automatically solve problems which you didn't think of when you created the "black list". For SMTP headers colons are needed. If you check for a valid email adress the hacker won't be able to enter colons inside that form field.
I suggest using regular expressions for those checks.
For more information about regular expressions see:
http://www.regular-expressions.info/
Alan Hogan +PHP at pixels and pages ,com
03-Sep-2005 10:46
03-Sep-2005 10:46
Header injection is a very real, common threat in which an attacker uses your mail form to send mail to whomever he chooses! I've been hit, myself, and on a website with relatively little traffic! Read more about it here:
http://securephp.damonkohler.com/index.php/Email_Injection
jfonseca at matarese dot com
25-Jul-2005 05:33
25-Jul-2005 05:33
This is NOT PHP-specific but worth mentioning on the mail() page.
Watch out for sendmail command injection on your pages which call the mail() function.
How it works: the attacker will inject SMTP into your form unless you make it real clear where the header ends. Most people simply don't add a header or a \r\n\r\n sequence to their mail header forms.
Example : a new BCC: field can be injected so that your form can be used to deliver mail to any valid address the attacker chooses.
Since the httpd server host is a trusted host your MX will probably relay without asking any questions.
Be careful with any function that accepts user input.
Hope this helps.
a dot hari at softprosys dot com
25-Jul-2005 10:47
25-Jul-2005 10:47
Guido, the same you can do like this.
while ($emailadresses = mysql_fetch_array($query, MYSQL_ASSOC)) {
foreach ($emailadresses as $oneMailadres) {
$recepientsArr[] = "$oneMailadres"; //build up the recepients array
}
}
/* THIS IS NOT REQUIRED
// this is the tricky part: mail() will not sent to all the emailadresses, if you let your string end with ', ', so I used substr() to remove the last two characters from the string (comma and space).
$recepients = substr($recepients, 0, -2);
*/
//Instead...do this.
$recepients = implode(",", $recepientsArr[]);
//actual sending
mail($recepients, $subject, $mailbody, "From: $senderAddress");
gregBOGUS at BOGUSlorriman dot com
21-Jun-2005 03:02
21-Jun-2005 03:02
In the posting "gregBOGUS at BOGUSlorriman dot com 6th april 2005" I claimed that redirecting an email, via the mail() function, to a different email address was as simple as copying over the unmodified headers of the originally recieved email (which would, of course, include the original "To:" field).
However it seems that this works for a Xampp install (http://www.apachefriends.org/en/xampp.html) with Mercury as the mail agent, but doesn't work on my webhost without first removing the old "To:" field, and perhaps other header modifications. Therefore it looks like it would be safest to strip any header lines that shouldn't be there. <sigh>
http://www.lorriman.com