Solved

PHP mail function - Hide email id's

Posted on 2008-10-27
10
1,362 Views
Last Modified: 2013-12-13
Hey,

I am trying to use the php send mail function and have the following question.
I am sending mail to multiple recpients(3-5). I do not want any of the user to see all the other email addressess and so I added the BCC option. I added the "senders" id in the $to field so the sender will also get a copy which is not really the right way. I would like to know how to still hide all the address and then not send the mail to the sender.

Please check the code as below:

It works well by sending mail to all the id's(whatever is typed in) and also the sender(which is not needed!!).

Also I would like to know if I have to implement any security method to the mail function. Please let me know how to implement this.
thanks
<?php
$email = $_REQUEST['email'];
$name = $_REQUEST['name'];
$email1 = $_REQUEST['email1'];
$email2 = $_REQUEST['email2'];
$email3 = $_REQUEST['email3'];
$email4 = $_REQUEST['email4'];
$email5 = $_REQUEST['email5'];
$message = $_REQUEST['message'];
#this will be used for the BCC
$email_ids = "$email1,$email2,$email3,$email4,$email5";
#Will show the sender's id in the From field
$headers = "From: $email" ;
#Will send the mail to sender(which is not required)
$to = "$email";
#Subject with name and email
$subject = "Refered by your friend $name($email)";
mail ($to, $subject, $message, $headers, "Bcc:$email_ids");
?>

Open in new window

0
Comment
Question by:Igiwwa
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
10 Comments
 
LVL 39

Expert Comment

by:Roger Baklund
ID: 22817519
What do you want in the email To header? There must be something there...

The 5. parameter for mail() is additional_parameters. The code you provided does not work for me:

mail ($to, $subject, $message, $headers, "Bcc:$email_ids");

This, however, works:

mail ($to, $subject, $message, $headers."\r\nBcc:$email_ids");
0
 
LVL 39

Expert Comment

by:Roger Baklund
ID: 22817544
...as for security: You must prevent the evil user from injecting headers, you can do that by removing any occurences of "\r" and "\n" in any of the email addresses.


function clean_email($email) {
  return str_replace(array("\r","\n"),'',$email);
}

Open in new window

0
 

Author Comment

by:Igiwwa
ID: 22821582
Hi cxr,
thanks for the replies. Yeah, I understand that I have to mention some id for the To field, but I am thinking if its possible to use one of the "friend's mail id" as the "To" address but others should not see it. OR how generally it works?a copy is always send to the sender or the site owner will have a dedicated id ?

I will implement the security method. thanks again. Is there any other security method?

regards
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:Igiwwa
ID: 22821634
Hi,

I forgot to ask, how to check all the emails(sender/receiver)(i.e. $email, $email1, $email2, $email3..) in the clean_email function?
thanks
0
 

Author Comment

by:Igiwwa
ID: 22821814
How about sending an individual email to each user by using "To" field? Is that possible?
From : Sender id
To:friend one id

From : sender id
To: Friend two id.
...
....
0
 
LVL 39

Assisted Solution

by:Roger Baklund
Roger Baklund earned 75 total points
ID: 22821943
You can not use one of the "friends" email without letting the others see it, it is just one email, five identical copies are sent. You should use the site owner email or the sender email as a To email in this case.

You can use the clean_email() function like any other PHP function, you must call it for each email address you want to check:
$email = clean_email($_REQUEST['email']);
$email1 = clean_email($_REQUEST['email1']);
$email2 = clean_email($_REQUEST['email2']);
$email3 = clean_email($_REQUEST['email3']);
$email4 = clean_email($_REQUEST['email4']);
$email5 = clean_email($_REQUEST['email5']);

Open in new window

0
 
LVL 39

Assisted Solution

by:Roger Baklund
Roger Baklund earned 75 total points
ID: 22821996
Yes, you can of course send multiple emails. Use the same procedure as when you are sending one email, just repeat the call to mail() multiple times with different To address. something like this:
if($email1>"") mail($email1, $subject, $message, $headers);
if($email2>"") mail($email2, $subject, $message, $headers);
if($email3>"") mail($email3, $subject, $message, $headers);
if($email4>"") mail($email4, $subject, $message, $headers);
if($email5>"") mail($email5, $subject, $message, $headers);

Open in new window

0
 

Author Comment

by:Igiwwa
ID: 22823437
Thanks a lot!
Everything works fine.
Just wondering, if there is any other security method we have to implement OR  please direct me to a site which will have more info about this.
0
 
LVL 39

Accepted Solution

by:
Roger Baklund earned 75 total points
ID: 22825552
I assume you are asking about security related to this email function, and not to your web site as such.

Removing \r (carriage return, ascii 13) and \n (linefeed, ascii 10) from any user input that goes into the $header is the most important step. Now that you do not use BCC, the user input is NOT put into the header, this elimintates the need for the clean_email() function. But it does not do any harm, so it's ok to use it even if the email address is only used in the To field of the email (first parameter to the mail() function).

Modern email clients can handle html in email. To send html in email, you need to use special headers (MIME and Content-type:text/html). If those headers are not there, it is not a html email, even if it contains html code. The html code will simply be visible in the email, like when you "View source" on a web page. However, there COULD be that some (badly coded) email client would detect the occurence of html in the mail, and render the html. I don't know of any such email client, and if there is one, it is faulty. If such an email client exists, your mail function could be abused by sending hostile html emails to such clients.

To eliminate the remote possibility of this, you can remove any html from the $message. This can be done with a builtin PHP function called strip_tags(). It is not common to do this, some will say it is bordering on paranoia, but if you want to be extra safe, you can do it.

$message = strip_tags($_REQUEST['message']);

This is not security related, but you should also use the wordwrap() function so that no line in the message is longer than 78 characters. No modern email clients will have any problem with longer lines, but the spec (rfc 2822) says that the line SHOULD be no more than 78 characters.

$message = wordwrap($message,78);
0
 

Author Comment

by:Igiwwa
ID: 22825673
thanks a lot for explaining this!
will implement these security code.
thanks again!
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How do I post more than 1 item to php backend 24 60
Echo values after a query in php 5 51
Insert PHP into HTML page. 7 52
php non-object 7 29
Part of the Global Positioning System A geocode (https://developers.google.com/maps/documentation/geocoding/) is the major subset of a GPS coordinate (http://en.wikipedia.org/wiki/Global_Positioning_System), the other parts being the altitude and t…
These days socially coordinated efforts have turned into a critical requirement for enterprises.
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question