phpmailer

[ajoo]

Hi all !

 

I used the following script to send a test mail which works fine.

<?php 
require_once('PHPMailer-master/class.phpmailer.php');
require_once('PHPMailer-master/PHPMailerAutoload.php');
define('USER', 'mymail@gmail.com'); // GMail username
define('PWD', 'myPassword'); // GMail password

$to = 'mee@gmail.com';
$from = 'mymail@gmail.com';
$from_name = 'Ajoo';	
$subject = 'Test Message';
$body = 'This is PHP Mailer in Action';

smtpmailer($to, $from, $from_name, $subject, $body);

function smtpmailer($to, $from, $from_name, $subject, $body) { 
	global $error;
	$mail = new PHPMailer();  // create a new object
	$mail->IsSMTP(); // enable SMTP
	$mail->SMTPDebug = 0;  // debugging: 1 = errors and messages, 2 = messages only
	$mail->SMTPAuth = true;  // authentication enabled
	$mail->SMTPSecure = 'ssl'; // secure transfer enabled REQUIRED for GMail
	$mail->Host = 'smtp.gmail.com';
	$mail->Port = 465; 
	$mail->Username = USER;  
	$mail->Password = PWD;           
	$mail->SetFrom($from, $from_name);
	$mail->Subject = $subject;
	$mail->Body = $body;
	$mail->AddAddress($to);
	if(!$mail->Send()) {
		$error = 'Mail error: '.$mail->ErrorInfo; 
		echo 'Mail error';
		return false;
	} else {
		echo 'Message Sent';
		$error = 'Message sent!';
		return true;
	}
}

?> 

 I just want to know if this is secure enough. It was pointed out in a previous mail that the php mail() function was not secure by itself and the variables were vulnerable to various mail injections.

 

So is this safe now just by virtue of the fact that it's using a library and that takes care of the security ? Or Do we need to take some precautions here too. 

 

Thanks all !

 

[Jacques1]

PHPMailer validates the provided e-mail addresses, so they cannot be used to inject headers.

 

However, a library doesn't magically prevent all possible vulnerabilities. For example, in your above code you print mail errors directly on the screen, which can leak critical information about you server. Another common problem is to insert raw input into an HTML mail, which can lead to cross-site scripting vulnerabilities.

 

So writing secure code is still your responsibility as a programmer. A library can only take care of specific problems.

[ajoo]

Hi Guru Jacques, Thank you for the response and sorry for the delayed reply. 

 

The echo in the code was only for testing the loop traversed but I get the point.

 

Thanks and will come back for more!

[ajoo]

Hi Guru Jacques,  I think I have asked this before but since I could not find your reply, I'll as ask it once again. 

 

For escaping HTML output you suggested a great function html_escape(), that I can use to sanitize all strings. The question is how to validate a numeric output. For example if there is a form field which expects numeric input then we need to check that the input is indeed numeric. Would using the is_numeric() function be sufficient for this purpose ? Anything else that we would need to take care of ?

 

Thanks !

Edited June 12, 2016 by ajoo

[Jacques1]

is_numeric() accepts a lot of technical formats which most users don't understand and probably find confusing like “-.4e+1”, “0xaf” and “0b1”. It also behaves differently depending on the PHP version, which is another problem.

 

What exactly do you mean by “numeric”? That it only contains decimal digits? Then you should use ctype_digit(). Also make sure to use an input of type number so that the user input is immediately validated by the browser.

[ajoo]

 

 

What exactly do you mean by “numeric”? That it only contains decimal digits? Then you should use ctype_digit(). Also make sure to use an input of type number so that the user input is immediately validated by the browser.

 

By numeric I mean the integer and float values. Values stored in a DB, auto increment values etc. I think, I am almost sure, that I have used the number value for all the number inputs but I'll recheck that. What about filter_validate_number? is that a good option too?

 

Thanks !

[Jacques1]

The general problem of the filters is that they depend on the technical limitations of the PHP data types. For example: On a 32 bit system, FILTER_VALIDATE_INT is limited to the range −2,147,483,648 … +2,147,483,647. Unfortunately, that's not enough for a MySQL BIGINT which is 64 bit wide and can store much larger and smaller numbers. So once you're dealing with bigger numbers, the filters may stop working and give you nonsense results (which is very hard to debug if you don't know where to look).

 

There's no such problem with ctype_digit(), because it simply checks the input character by character.

 

FILTER_VALIDATE_FLOAT has similar problems. It also supports formats which aren't normally understood by users like “.1e-2” (which is the scientific notation of 0.001).

 

If you're OK with those limitations and quirks, feel free to use the filters. Otherwise ctype_digit() or a regular expression are problably better choices. I'm sure there are also validation libraries which implement this already.

[ajoo]

Thank you Guru Jacques. Happy to take your advice always !