PHP mail()

From DreamHost
Revision as of 05:13, 1 April 2011 by Scjessey (Talk | contribs)

Jump to: navigation, search

Introduction

This article explains how to use PHP's mail() function to create and send emails. The function can accept a number of parameters:

  1. To (required string)
  2. Subject (required string)
  3. Message (required string) - note that each line should end in a new line control character (\n), and you may wish to use the wordwrap() function to limit the line length to 70 characters.
  4. Additional headers (optional)
    • From
    • CC
    • BCC
    • Other headers
  5. Additional parameters (optional)

Warning

Never use form input (such as names or email addresses) in the "Additional headers" section of the PHP mail() command, as this can lead to mail header injection exploits which allow spammers to hijack your email forms. Please see this link for additional information on how these attacks work and how to prevent them: Email Injection

Basic example

<?php

// compose message
$message = "Lorem ipsum dolor sit amet, consectetuer adipiscing elit.";
$message .= " Nam iaculis pede ac quam. Etiam placerat suscipit nulla.";
$message .= " Maecenas id mauris eget tortor facilisis egestas.";
$message .= " Praesent ac augue sed enim aliquam auctor. Ut dignissim ultricies est.";
$message .= " Pellentesque convallis tempor tortor. Nullam nec purus.";

// make sure each line doesn't exceed 70 characters
$message = wordwrap($message, 70);

// send email
mail('somebody@example.com', 'Nonsensical Latin', $message);
?>

Advanced example

<?php
$to = "somebody@example.com";
$subject = "Nonsensical Latin";

// compose headers
$headers = "From: webmaster@example.com\r\n";
$headers .= "Reply-To: webmaster@example.com\r\n";
$headers .= "X-Mailer: PHP/".phpversion();

// compose message
$message = "Lorem ipsum dolor sit amet, consectetuer adipiscing elit.";
$message .= " Nam iaculis pede ac quam. Etiam placerat suscipit nulla.";
$message .= " Maecenas id mauris eget tortor facilisis egestas.";
$message .= " Praesent ac augue sed enim aliquam auctor. Ut dignissim ultricies est.";
$message .= " Pellentesque convallis tempor tortor. Nullam nec purus.";
$message = wordwrap($message, 70);

// send email
mail($to, $subject, $message, $headers);
?>

Sending HTML mail

<?php

// multiple recipients (note the commas)
$to = "somebody@example.com, ";
$to .= "nobody@example.com, ";
$to .= "somebody_else@example.com";

// subject
$subject = "Nonsensical Latin";

// compose message
$message = "
<html>
  <head>
    <title>Nonsensical Latin</title>
  </head>
  <body>
    <h1>Nonsensical Latin</h1>
    <p>Lorem ipsum dolor sit amet, consectetuer adipiscing elit.
       Nam iaculis pede ac quam. Etiam placerat suscipit nulla.
       Maecenas id mauris eget tortor facilisis egestas.
       Praesent ac augue sed <a href=\"http://lipsum.com/\">enim</a> aliquam auctor.
       Pellentesque convallis tempor tortor. Nullam nec purus.</p>
  </body>
</html>
";

// To send HTML mail, the Content-type header must be set
$headers = "MIME-Version: 1.0\r\n";
$headers .= "Content-type: text/html; charset=iso-8859-1\r\n";

// send email
mail($to, $subject, $message, $headers);
?>

Mail Header Injection

The following code can be placed in the top of your php script to deter the most common header injections. Please note this code disallows direct page access, so only add to a "process" page reachable by a Submit action. It will filter out any CC or BCC headers being injected as well as any new line or carriage return tags injected into the email header.

<?php
if (!isset($_POST['submit'])) {
   echo "<h1>Error</h1>\n
      <p>Accessing this page directly is not allowed.</p>";
   exit;
}

$email = preg_replace("([\r\n])", "", $email);

$find = "/(content-type|bcc:|cc:)/i";
if (preg_match($find, $name) || preg_match($find, $email) || preg_match($find, $url) || preg_match($find, $comments)) {
   echo "<h1>Error</h1>\n
      <p>No meta/header injections, please.</p>";
   exit;
}
?>

See also

External links