unable to send mail , it showing the error in below code .

Question

1.44/5 (2 votes)

See more:

while i am trying to send mail this error ocuures.

Warning: mail() [function.mail]: Invalid Address
on line 88

Message sent Error!
// line no. 88 is if(mail($email,$subject,$html,$headers))

XML

<?php

//require_once "Mail.php";
$email = '';
if(isset($_POST["visitormail"]))
{
$email = $_POST["visitormail"];
}
include('Mail.php');
include('Mail/mime.php');
if(($_POST["visitor"] == "") || (($_POST["visitormail"] == "")))
{
    if($_POST["visitormail"] == "")
    {
        echo "Vennligst fyll du navnet <br>";
    }
    if($_POST["visitormail"] == "")
    {
        echo "Fyll venns epost  <br>";
    }?>
    <a href="mail123.php" style="color:black;">Tilbake</a>
<?php }
else
{
$text = 'From pritamsp';
$sitename = '';
if(isset($_SERVER["REQUEST_URI"]))
{
$sitename = str_replace("/sendeail.php","",$_SERVER["REQUEST_URI"]);
}

$purl = $_POST['httpref'];
$subject ='From pritamsp';

$html = '<html><body>'.$_POST["notes"]."<br>"."<a href='".$purl."'>".$purl.'</a></body></html>';

  $from='pangarkarpritam777@hotmail.com';
        $headers = "From: ppppppppp <" . $from. ">\r\n";
        $headers .= "Reply-To: ". $from . "\r\n";
        //$headers .= "CC: sun123@example.com\r\n";
        $headers .= "MIME-Version: 1.0\r\n";
        $headers .= "Content-Type: text/html; charset=ISO-8859-1\r\n";
    if(mail($email,$subject,$html,$headers))
     {
         echo("<p>Message successfully sent!</p>");
  } else {
      echo("<p>Message sent Error!</p>");
  }
}
?>

Posted 7-Feb-12 20:16pm

pritamsp

Updated 4-Dec-21 23:51pm

v5

Add a Solution

Comments

Sergey Alexandrovich Kryukov 8-Feb-12 3:03am

Great! I hope you did not deploy it anywhere. Because I'm going to save your... well, your skin from a pretty big disaster you are inviting. :-)

Please see my answer.
--SA

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Sergey Alexandrovich Kryukov · Accepted Answer · 2012-02-07T20:56:00

There are two problems here.

You get your "To" header from $_POST["visitormail"], which is the e-mail address typed by your visitor in the form and processed by your PHP code without any validation.

First, how do you know that was a valid and existing address? If this address is wrong, no wonder you have that error.

There is more important and dangerous thing. You approach (I mean lack of proper validation and filtering) is way too dangerous.

Attention! A big security flaw is explained here!

I will explain schematically what some people do to find an exploit for their malicious activity.

Imagine you have in your input:

test

myInnocentEmailAccount@MyPerfectlyLegalDomain.com
[new line]
BCC: [a million of addresses to spam]

This is the way to inject a BCC header line. Trivial, isn't it? You would not even see how your host is turned into a zombie sending spam, or something like that.

You can tell that you provide only one input line using a text box (input element with the type text), so entering the new line characters is not possible.

OK, great, your form knows about it, but HTML "post" method does not know about your form. :-)
Are you getting it?

Of course, this is not possible with the manual operation with the form. But programmatically, I would fake your form in few minutes and implement the hack I explained before. If you use AJAX, I would fake your AJAX as well. I actually did something like that to test my own Web site and some of our company Web sites for security holes. It was easy. Each and every action performed on the client side can be more or less easily faked.

So, you should do simple thing: inspect all the headers for any deviation from the expected pattern. You should also check up the referral of the post and do some other relevant checks. Internally, report the attempts of any suspected malicious activity.

Investigate such cases. I did that and caught such attempts from time to time. This is the ugly fact of our life.

—SA