I have a PHP driven HTML contact form on my site. Currently I use the PHP mail() function. Because of that I have to do many user input validation to avoid email header injection attacks. I think I'm secure, but I probably forgot something and I want to move to a solid PHP email library. The library I selected is Swiftmailer.
Now I want to check if Swiftmailer address the following:
<
and >
characters in sender names.\n
, \r\n
...) from sender names.\n
should be used in content and \r\n
as email headers separator.PS: I tried to contact the Swiftmailer team with my questions without success so I'm trying here.
Edit:
I did some test cases with Swiftmailer and this is what I found so far:
<
or >
in the name of a sender, you get a Undeliverable email error mail. This can somewhat lead in a DOS attack of your mail server (maybe I'm wrong). Is this normal?!Can someone clarify #1 and #4 for me? I'm not sure if it's normal behavior...
EDIT: This answer may be obsolete. At the time I wrote this, there were some problems with the SwiftMailer library. At this point, everything is working fine with the SwiftMailer
and is considered to be the better library with a lot more to offer than PHPMailer
.
I would suggest you use phpmailer. It is one of the most stable mailing libraries I've ever used. Here's an example code that should be working:
include("./phpmailer/class.phpmailer.php");
$mail = new PHPMailer(false); // the true param means it will throw exceptions on errors, which we need to catch
$mail->IsSMTP();
$mail->Host = "YourDomainName.com";
$mail->SMTPDebug = 2;
$mail->SMTPAuth = true;
$mail->SMTPSecure = "tls";
$mail->Host = "YourSMTPMailServer.com";
$mail->Port = 587;
$mail->Username = "[email protected]";
$mail->Password = "password"; // GMAIL password
$mail->AddAddress("[email protected]", '<< >> ! " Receiver Name');
$mail->SetFrom('[email protected]', '<< >> ! " Sender Name');
$mail->Subject = "A testing subject";
$mail->AltBody = 'To view the message, please use an HTML compatible email viewer!';
$mail->MsgHTML('This is my <b>html</b> testing email, sent '.time());
$mail->Send();
You'll need to configure this so that it connects to your email server but it should be working. Phpmailer escapes so far everything I've tried. The only I'm checking is "[email protected]". I do it with this code:
$email = "[email protected]";
$email = filter_var(filter_var($email,FILTER_SANITIZE_EMAIL),FILTER_VALIDATE_EMAIL);
if($email){
echo "This email is valid!";
} else {
echo "This email is INVALID!";
}
I hope this helps :)
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With