ajoo Posted June 11, 2016 Share Posted June 11, 2016 Hi all ! I used the following script to send a test mail which works fine. <?php require_once('PHPMailer-master/class.phpmailer.php'); require_once('PHPMailer-master/PHPMailerAutoload.php'); define('USER', '[email protected]'); // GMail username define('PWD', 'myPassword'); // GMail password $to = '[email protected]'; $from = '[email protected]'; $from_name = 'Ajoo'; $subject = 'Test Message'; $body = 'This is PHP Mailer in Action'; smtpmailer($to, $from, $from_name, $subject, $body); function smtpmailer($to, $from, $from_name, $subject, $body) { global $error; $mail = new PHPMailer(); // create a new object $mail->IsSMTP(); // enable SMTP $mail->SMTPDebug = 0; // debugging: 1 = errors and messages, 2 = messages only $mail->SMTPAuth = true; // authentication enabled $mail->SMTPSecure = 'ssl'; // secure transfer enabled REQUIRED for GMail $mail->Host = 'smtp.gmail.com'; $mail->Port = 465; $mail->Username = USER; $mail->Password = PWD; $mail->SetFrom($from, $from_name); $mail->Subject = $subject; $mail->Body = $body; $mail->AddAddress($to); if(!$mail->Send()) { $error = 'Mail error: '.$mail->ErrorInfo; echo 'Mail error'; return false; } else { echo 'Message Sent'; $error = 'Message sent!'; return true; } } ?> I just want to know if this is secure enough. It was pointed out in a previous mail that the php mail() function was not secure by itself and the variables were vulnerable to various mail injections. So is this safe now just by virtue of the fact that it's using a library and that takes care of the security ? Or Do we need to take some precautions here too. Thanks all ! Quote Link to comment https://forums.phpfreaks.com/topic/301325-phpmailer/ Share on other sites More sharing options...
Solution Jacques1 Posted June 11, 2016 Solution Share Posted June 11, 2016 PHPMailer validates the provided e-mail addresses, so they cannot be used to inject headers. However, a library doesn't magically prevent all possible vulnerabilities. For example, in your above code you print mail errors directly on the screen, which can leak critical information about you server. Another common problem is to insert raw input into an HTML mail, which can lead to cross-site scripting vulnerabilities. So writing secure code is still your responsibility as a programmer. A library can only take care of specific problems. 1 Quote Link to comment https://forums.phpfreaks.com/topic/301325-phpmailer/#findComment-1533576 Share on other sites More sharing options...
ajoo Posted June 12, 2016 Author Share Posted June 12, 2016 Hi Guru Jacques, Thank you for the response and sorry for the delayed reply. The echo in the code was only for testing the loop traversed but I get the point. Thanks and will come back for more! Quote Link to comment https://forums.phpfreaks.com/topic/301325-phpmailer/#findComment-1533587 Share on other sites More sharing options...
ajoo Posted June 12, 2016 Author Share Posted June 12, 2016 (edited) Hi Guru Jacques, I think I have asked this before but since I could not find your reply, I'll as ask it once again. For escaping HTML output you suggested a great function html_escape(), that I can use to sanitize all strings. The question is how to validate a numeric output. For example if there is a form field which expects numeric input then we need to check that the input is indeed numeric. Would using the is_numeric() function be sufficient for this purpose ? Anything else that we would need to take care of ? Thanks ! Edited June 12, 2016 by ajoo Quote Link to comment https://forums.phpfreaks.com/topic/301325-phpmailer/#findComment-1533588 Share on other sites More sharing options...
Jacques1 Posted June 12, 2016 Share Posted June 12, 2016 is_numeric() accepts a lot of technical formats which most users don't understand and probably find confusing like “-.4e+1”, “0xaf” and “0b1”. It also behaves differently depending on the PHP version, which is another problem. What exactly do you mean by “numeric”? That it only contains decimal digits? Then you should use ctype_digit(). Also make sure to use an input of type number so that the user input is immediately validated by the browser. Quote Link to comment https://forums.phpfreaks.com/topic/301325-phpmailer/#findComment-1533589 Share on other sites More sharing options...
ajoo Posted June 13, 2016 Author Share Posted June 13, 2016 What exactly do you mean by “numeric”? That it only contains decimal digits? Then you should use ctype_digit(). Also make sure to use an input of type number so that the user input is immediately validated by the browser. By numeric I mean the integer and float values. Values stored in a DB, auto increment values etc. I think, I am almost sure, that I have used the number value for all the number inputs but I'll recheck that. What about filter_validate_number? is that a good option too? Thanks ! Quote Link to comment https://forums.phpfreaks.com/topic/301325-phpmailer/#findComment-1533619 Share on other sites More sharing options...
Jacques1 Posted June 13, 2016 Share Posted June 13, 2016 The general problem of the filters is that they depend on the technical limitations of the PHP data types. For example: On a 32 bit system, FILTER_VALIDATE_INT is limited to the range −2,147,483,648 … +2,147,483,647. Unfortunately, that's not enough for a MySQL BIGINT which is 64 bit wide and can store much larger and smaller numbers. So once you're dealing with bigger numbers, the filters may stop working and give you nonsense results (which is very hard to debug if you don't know where to look). There's no such problem with ctype_digit(), because it simply checks the input character by character. FILTER_VALIDATE_FLOAT has similar problems. It also supports formats which aren't normally understood by users like “.1e-2” (which is the scientific notation of 0.001). If you're OK with those limitations and quirks, feel free to use the filters. Otherwise ctype_digit() or a regular expression are problably better choices. I'm sure there are also validation libraries which implement this already. 1 Quote Link to comment https://forums.phpfreaks.com/topic/301325-phpmailer/#findComment-1533625 Share on other sites More sharing options...
ajoo Posted June 13, 2016 Author Share Posted June 13, 2016 Thank you Guru Jacques. Happy to take your advice always ! Quote Link to comment https://forums.phpfreaks.com/topic/301325-phpmailer/#findComment-1533628 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.