can my html/php/jscript email access information such as To: From:

motokent
motokent used Ask the Experts™
on
I send html style email to a wide group of people both inside my company and outside.  Can I cusomize links in the email depending on the individual recipient (i.e. can php access the individual recipients email address or which network he/she is currently connected to?)?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
It depends how you are sending the email. If you are using Outlook then there is not a great deal PHP can do because PHP is server based and Outlook is client PC based.

If you are using PHP to send the email then you have full control over the email and its contents. For instance

$recipient = "joe@example.com";
$name = "Joe";
$email = "Dear $name, welcome to experts exchange";

mail->send( $recipient, "$name - important update", $email );

etc...


Author

Commented:
Hopefully this will be clear...
I'm using a bash script (Ubuntu) to compile data and then use mailx to send out the email in html format.  The html has links that go to a php file that then generates some charts and and other stuff.  Those charts/graphs are confidential for my company.  Plus the php is on our company network, so if someone outside our company network clicks the link they get "network problem" errors..

Maybe I'm making this harder than necessary.  Here's a simpler question.... if someone clicks a link, and the link is not reachable (i.e. the recipient is outside my company's network), I would like the attempt to be ignored as if nothing had ever been attempted.  2nd best option.... popup window saying something like "Please contact an account team representative to obtain this information."
If you put a link in an email then if clicked on it will do soething unless you use javascript coding to detect that you are outside the company network.

A simpler option is to go to some page somewhere and detect the remote IP address. If this is not a known company network address then you can show the refusal page, else permit the data to be seen. Something like this

$remote = strip_tags( $_SERVER['REMOTE_ADDR'] );
$internalAddrFormat = "192.168.";

if ( strpos( $remote, $internalAddrFormat ) === 0 )
    .... OK - genuine visitor
else
    ... outside network



Two points:

1. The above is untested
2. The $_SERVER array can be manipulated so additional checks are a good idea, but this will stop the bulk of casual hacks.
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Most Valuable Expert 2011
Top Expert 2016

Commented:
"if someone clicks a link, and the link is not reachable (i.e. the recipient is outside my company's network), I would like the attempt to be ignored as if nothing had ever been attempted"

This will depend on what the URL of the link contains.  If it is not a fully qualified URL, then the browser will not be able to resolve the address to your servers.  Instead it will go to some place that is "404 Not Found" and while that is not exactly "ignored" your data is safe.  Browsers do not have a way to ignore invalid HTTP requests - they tell the client about it.

Here is how I would handle the issue.  Make all the links fully qualified URLs and make the pages that generate the confidential information be protected by a password.  Without the login password, the page can display "Please log in or contact an account team representative to obtain this information."

Best regards, ~Ray

Author

Commented:
Here's the link as-is:
<a href=<mycompany.com/X.php>SOMETHING USEFUL</a>
==================================================
Is this what you mean (I can't test it until later today):
<?php
  $remote = strip_tags( $_SERVER['REMOTE_ADDR'] );
  $internalAddrFormat = "192.168.";
  if ( strpos( $remote, $internalAddrFormat ) === 0 )
     echo "<a href=<mycompany.com/X.php>SOMETHING USEFUL</a>";
  else
    echo "SOMETHING USEFUL";
Most Valuable Expert 2011
Top Expert 2016

Commented:
I do not see how that link could work at all.  Try copying it into your browser address bar.  That is what will happen, in effect, when a client clicks on the link in an email reader program.

Author

Commented:
To Ray.......  I'm using the fully qualified name in href which is in our internal network.  So a customer of ours that tryies to click the link gets something like "network problem" or "connection refused".  I just want something more graceful like being able to identify the network that the recipient is on, and then entering an "href=" if on my company network, or enter plain text if outside.  I don't care if I use php, jscript, or anything else.  Php was what came to mind first.
Most Valuable Expert 2011
Top Expert 2016

Commented:
Can you please post an example of the actual information that you have in the email link - not something that is made up.  Thanks.

Author

Commented:
<B><U>pCAPC-AP Link Failure:  Las Vegas</B></U>
 15 WA_WAN0999_MOT_CAPC_1_F101  pCAPC-AP Link: PL-1-3 - <A style="COLOR: black; TEXT-DECORATION: none" href="http://d1421-0a10790e.cig.mot.com/apinfo.php?ap=NV_LSV0649_2&market=SEA">NV_LSV0649_2</A>
 15 WA_WAN0999_MOT_CAPC_1_F101  pCAPC-AP Link: PL-1-3 - <A style="COLOR: black; TEXT-DECORATION: none" href="http://d1421-0a10790e.cig.mot.com/apinfo.php?ap=NV_LSV0630_2_2&market=SEA">NV_LSV0630_2_2</A>
 15 WA_WAN0999_MOT_CAPC_1_F101  pCAPC-AP Link: PL-1-3 - <A style="COLOR: black; TEXT-DECORATION: none" href="http://d1421-0a10790e.cig.mot.com/apinfo.php?ap=NV_LSV0034_1&market=SEA">NV_LSV0034_1</A>

Author

Commented:
I'd send you an actual email, but I'm not comfortable posting it.
Most Valuable Expert 2011
Top Expert 2016

Commented:
Thanks, that is helpful.  Looks like one of the URLs there is this, and of course there is no DNS entry that resolves to that address.

http://d1421-0a10790e.cig.mot.com/apinfo.php?ap=NV_LSV0649_2&market=SEA

I guess you could try any number of things to make sense of this, but I still think I would opt to send out a fully qualified and valid URL that simply points to a page on your server.  The server can easily detect whether or not the client is logged in.  Logged in clients get the data, clients that have not logged in get a login prompt (along with the message to contact the account team).
Most Valuable Expert 2011
Top Expert 2016

Commented:
No need for you to send me the email - the link above makes the issue clear enough to me.  

In my own experience with API programming, I have used an API key which must be present in the request to get the information.  Since you are generating the email messages, you might be able to send the API key to those who are to be given access, and omit the API key for the "foreigners" on the mail list.  This is not as safe as requiring a login, since the API key is exposed in clear text, but it might make things easier for your internal people.

Author

Commented:
That's the problem.  Any server that I have access to is inside my company's firewall and will get blocked by anyone who clicks the link.

Author

Commented:
I meant.... anyone who clicks the link that is not on my company network.
Most Valuable Expert 2011
Top Expert 2016

Commented:
This sounds like an architectural issue.  If you do not have access to a public-facing server so that you can receive requests from the internet, it seems unlikely that you will be able to service requests from anyone who is not logged into your network.
Most Valuable Expert 2011
Top Expert 2016

Commented:
OK, let's step back a moment and help me understand.  Can you create a public-facing web page with PHP?  Can it access these scripts (like: http://d1421-0a10790e.cig.mot.com/apinfo.php?ap=NV_LSV0649_2&market=SEA)?
On one of our internal servers we have a nameserver running BIND and all requests from internal desktops list it as the primary nameserver. We can then create internal subdomains for actual domain names that will only resolve internally.

For example, lets us say that the company domain was example.com and that no subdomain exists for wiki.example.com. Internally we have an entry on our local nameserver for wiki.example.com so it only works internally but not externally.

Maybe the O/P could try something along those lines?
I should clarify, since the O/P wants a better message do this

- Have a subdomain that works INSIDE the company network.
- Establish the same subdomain OUTSIDE the company network and put a single index.html page in it that says whatever you want it to say.

That way it works inside the network and has a graceful failure on the outsides - as long as internal machines query the internal nameserver FIRST.

Author

Commented:
Still not clear.  Let me start over.  Pretend you are my customer.  You do not have access to my network (including my web pages).  No problem so far.

I want to send you and a whole lot of other people a snapshot of what's going on via email every morning.
This part works great.

In the email, there are very useful links for my coworkers.  However, if you try to click the link it's not very pretty.  This is NOT a security issue..... just cosmetic.  I don't want you to see the text as a link.
Most Valuable Expert 2011
Top Expert 2016

Commented:
Since you create the email, you can just omit the link for those email recipients who should not see the link.  Just send them text that is not a link.  Easy!

Author

Commented:
The emails will get forwarded between folks in our markets.  There's no way to control who sends what... in fact it's a very good thing if one of my co-workers in Las Vegas, for instance, wants to forward the email to one of our customers in Las Vegas.

Can I write client-side scripting that will detect if client is on my network?  (Can I send you an html email that can tell if you are on my company's network, and then adjust the links accordingly?)
Most Valuable Expert 2011
Top Expert 2016

Commented:
Yes, I am sure you can write client-side scripting to detect this.  I am equally sure it can be hacked.  I guess I still do not understand the design pattern we are trying to achieve here.  If you want to expose this information to everyone - people on your network as well as people who are not on your network, why not just create a public page that has this information and send everyone the link to the public page?

Author

Commented:
All I want is this:  If you, Ray Paseur, click on the link in my email, you will get either:
1. Popup window saying "Please contact an Account team member for this information", or
2. Nothing at all.  No error message saying "unable to connect". No browser trying to access the site.  Nothing.  As if there were no link at all... just text.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial