| Re: FORMS, validating mail was sent [message #181911 is a reply to message #181871] |
Sat, 22 June 2013 16:02   |
bill
Messages: 310
Registered: October 2010
Karma:
|
Senior Member |
|
|
On 2013-06-20 4:46 PM, Gordon Burditt wrote:
>> I'm a PHP near-newbie working fairly successfully on creating a secure
>> PHP e-mail (mail()) function. It occurs to me that the only way a user
>> knows (thinks) a form has been sent, is that I tell him so either in a
>> line of code or with a Thank You page.
>
> Since you're a near-newbie, please save the world from having to
> block email from your server, and DO NOT put any variables in email
> headers, DO NOT put any variables from the user in email headers,
> and DO NOT put any variables set in your form in email headers.
> Put them in the body of the mail.
All good information. FWIW, I'm not new to websites and contact forms. I
have a couple I've used for years and never had a hack or any kind of
problem with them.
Due to a brain concussion I've lost all my PHP capabilities to
memory loss and I'm currently using this query as a way to keep on
relearning it. I've gotten some back, but not nearly enough to be
considered as knowledgeable. I remember a lot of the concepts, but C or
PHP actual coding just left for parts unknown.
>
> Wrong: From: $email
> Right: From: www-data(at)myserver(dot)hostingco(dot)com
>
> Some servers are going to require that (a) the From: address is
> local, (b) the From: address is a valid local user, and perhaps (c)
> the user name must match the user id of the code that called the
> MTA. In other words, there might be only one correct From: line
> you're allowed to use.
Correct.
>
> (For a mailing list to customers, you're stuck with a variable
> in the To:, Cc:, or Bcc: headers. )
To only: cc and bcc are not possible - on purpose.
>
> Wrong: Subject: Contact form from $email
> Right: Subject: Contact form - read body to tell who it's from.
>
> Wrong: Subject: Order for $itemname
> Right: Subject: Order
Done those, too.
>
>
>
> (Consider what happens if $email='me(at)gmail(dot)com\rCc: victim1(at)gmail(dot)com,
> victim2(at)gmail(dot)com, victim3(at)gmail(dot)com, ..., victim99(at)gmail(dot)com', and
> $address (used in the body) contains a 5-page-long ad for body part
> enlargement)
Can't (shouldn't) happen without something pretty clever: Filters limit
it to only one To: address, no code, etc. etc..
>
>> With that in mind, is there any way with PHP to actually tell that a
>> message was actually sent? That it at least was mailed out?D
Depends on your viewpoint: If you're the one filling out the form, the
mail is "sent". If you're on the other end of the tunnel, the mail is
"accepted"; THAT is the ACK I want to detect.
>
> The return value from the mail() function is about as good as you
> can get. The mail was handed off to the MTA.
>
>> I came across retval() and thought that might be way to do it, but I
>> misinterpreted it, thinking it was a PHP function, which it turns out to
>> not be. Therefore I'm looking for some way to authenticate that the
>> e-mail actually left the server.
>
> It can actually take an incredible number of DNS lookups and alias
> file searches to determine if the mail is even *SUPPOSED* to leave
> the server (that is, the destination is not local to the server),
> especially since shared hosted web servers tend to have lots of
> different DNS hostnames all pointing at them.
>
No argument for a larger site; but it's only the "ACK" that a mail was
accepted that I am looking for. Not that it was or will be delivered.
You have an interesting attitude & viewpoint; I think I like that.
Regards,
Twayne`
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]