Jump to content

phpmailer


Go to solution Solved by Jacques1,

Recommended Posts

Hi all !

 

I used the following script to send a test mail which works fine.

<?php 
require_once('PHPMailer-master/class.phpmailer.php');
require_once('PHPMailer-master/PHPMailerAutoload.php');
define('USER', 'mymail@gmail.com'); // GMail username
define('PWD', 'myPassword'); // GMail password

$to = 'mee@gmail.com';
$from = 'mymail@gmail.com';
$from_name = 'Ajoo';	
$subject = 'Test Message';
$body = 'This is PHP Mailer in Action';

smtpmailer($to, $from, $from_name, $subject, $body);

function smtpmailer($to, $from, $from_name, $subject, $body) { 
	global $error;
	$mail = new PHPMailer();  // create a new object
	$mail->IsSMTP(); // enable SMTP
	$mail->SMTPDebug = 0;  // debugging: 1 = errors and messages, 2 = messages only
	$mail->SMTPAuth = true;  // authentication enabled
	$mail->SMTPSecure = 'ssl'; // secure transfer enabled REQUIRED for GMail
	$mail->Host = 'smtp.gmail.com';
	$mail->Port = 465; 
	$mail->Username = USER;  
	$mail->Password = PWD;           
	$mail->SetFrom($from, $from_name);
	$mail->Subject = $subject;
	$mail->Body = $body;
	$mail->AddAddress($to);
	if(!$mail->Send()) {
		$error = 'Mail error: '.$mail->ErrorInfo; 
		echo 'Mail error';
		return false;
	} else {
		echo 'Message Sent';
		$error = 'Message sent!';
		return true;
	}
}

?> 

 I just want to know if this is secure enough. It was pointed out in a previous mail that the php mail() function was not secure by itself and the variables were vulnerable to various mail injections.

 

So is this safe now just by virtue of the fact that it's using a library and that takes care of the security ? Or Do we need to take some precautions here too. 

 

Thanks all !

 

Link to comment
https://forums.phpfreaks.com/topic/301325-phpmailer/
Share on other sites

  • Solution

PHPMailer validates the provided e-mail addresses, so they cannot be used to inject headers.

 

However, a library doesn't magically prevent all possible vulnerabilities. For example, in your above code you print mail errors directly on the screen, which can leak critical information about you server. Another common problem is to insert raw input into an HTML mail, which can lead to cross-site scripting vulnerabilities.

 

So writing secure code is still your responsibility as a programmer. A library can only take care of specific problems.

  • Like 1
Link to comment
https://forums.phpfreaks.com/topic/301325-phpmailer/#findComment-1533576
Share on other sites

Hi Guru Jacques,  I think I have asked this before but since I could not find your reply, I'll as ask it once again. 

 

For escaping HTML output you suggested a great function html_escape(), that I can use to sanitize all strings. The question is how to validate a numeric output. For example if there is a form field which expects numeric input then we need to check that the input is indeed numeric. Would using the is_numeric() function be sufficient for this purpose ? Anything else that we would need to take care of ?

 

Thanks !

Edited by ajoo
Link to comment
https://forums.phpfreaks.com/topic/301325-phpmailer/#findComment-1533588
Share on other sites

is_numeric() accepts a lot of technical formats which most users don't understand and probably find confusing like “-.4e+1”, “0xaf” and “0b1”. It also behaves differently depending on the PHP version, which is another problem.

 

What exactly do you mean by “numeric”? That it only contains decimal digits? Then you should use ctype_digit(). Also make sure to use an input of type number so that the user input is immediately validated by the browser.

Link to comment
https://forums.phpfreaks.com/topic/301325-phpmailer/#findComment-1533589
Share on other sites

 

 

What exactly do you mean by “numeric”? That it only contains decimal digits? Then you should use ctype_digit(). Also make sure to use an input of type number so that the user input is immediately validated by the browser.

 

By numeric I mean the integer and float values. Values stored in a DB, auto increment values etc. I think, I am almost sure, that I have used the number value for all the number inputs but I'll recheck that. What about filter_validate_number? is that a good option too?

 

Thanks !

Link to comment
https://forums.phpfreaks.com/topic/301325-phpmailer/#findComment-1533619
Share on other sites

The general problem of the filters is that they depend on the technical limitations of the PHP data types. For example: On a 32 bit system, FILTER_VALIDATE_INT is limited to the range −2,147,483,648 … +2,147,483,647. Unfortunately, that's not enough for a MySQL BIGINT which is 64 bit wide and can store much larger and smaller numbers. So once you're dealing with bigger numbers, the filters may stop working and give you nonsense results (which is very hard to debug if you don't know where to look).

 

There's no such problem with ctype_digit(), because it simply checks the input character by character.

 

FILTER_VALIDATE_FLOAT has similar problems. It also supports formats which aren't normally understood by users like “.1e-2” (which is the scientific notation of 0.001).

 

If you're OK with those limitations and quirks, feel free to use the filters. Otherwise ctype_digit() or a regular expression are problably better choices. I'm sure there are also validation libraries which implement this already.

  • Like 1
Link to comment
https://forums.phpfreaks.com/topic/301325-phpmailer/#findComment-1533625
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.