1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54

<html>
<body>
 
<?php
if (isset($_POST['Name'])) {
   $message = '';
   foreach ($_POST as $key => $value) {
      $message .= '<b>'.$key.':</b> '.nl2br(htmlspecialchars(trim($value)))."<br>\n";
   }
 
   $to = 'example@example.com';
   $from = 'example@example.com';
 
   $subject = 'New Message: '.$_POST['subject'];
 
   $headers  = 'MIME-Version: 1.0' . "\n";
   $headers .= 'Content-type: text/html; charset=UTF-8'."\n";
   $headers .= 'From: '. $from ."\n";
   $headers .= 'Reply-To: '. $from ."\n";
   $headers .= 'Return-Path: '. $from ."\n";
 
   mail($to, $subject, $message, $headers);
   echo '<b>Your message has been sent</b>';
   exit();
}
?>
 
<form method="post" action="<? echo $_SERVER['REQUEST_URI'] ?>">
<table>
<tr>
   <td align="right">Name:</td>
   <td><input type="text" name="Name" value=""></td>
</tr>
<tr>
   <td align="right">Email Address:</td>
   <td><input type="text" name="Email" value=""></td>
</tr>
<tr>
   <td align="right">Subject:</td>
   <td><input type="text" name="Subject" value=""></td>
</tr>
<tr>
   <td align="right">Message:</td>
   <td><textarea name="Message" rows="10" cols="30"></textarea></td>
</tr>
<tr>
   <td>&nbsp; </td>
   <td><input type="submit" value="Send Message"></td>
</tr>
</table>
</form>
 
</body>
</html>

Recommended changes to the above script

• Add additional fields, I used a for each loop for a reason, so you can add as many fields as you want to without having to add them individually to the email message. For example, if we wanted to allow the user to enter their order number we can just add the following at line 38:

  38 39 40 41

  <tr> <td align="right">Order Number:</td> <td><input type="text" name="OrderNumber" value=""></td> </tr>

• Add additional data, it’s always a good idea to copy the users IP address and username (if they are logged in). One thing I like to do is append this additional information into the message. For example, if my site relies on sessions, I would append that to my emails, which you can accomplish by adding this:

  $message .= "<hr><pre>". print_r($_SESSION, true) ."</pre>";

  If your site uses cookies, then you can replace $_SESSION with $_COOKIES and for overkill if you wanted to record the server data you could also append the $_SERVER data.

• Verify data before sending it, all of the info that the user entered above was never checked for accuracy. Obviously we can never make a foolproof checker, but we can eliminate 99% of common mistakes (IMO). There’s the simple and the more advanced method of verifying user input, they are…
  • Checking string length using the strlen function. For example, let’s take the shortest email address we can think of that would still be technically valid, x@x.ca this comes out to 6 characters. So trimming off any white space

    if (strlen(trim($_POST['Email'])) < 6)

    then we know we have an invalid email address. We might also want to check that the name, message, etc length is at least 2 characters long.

  • Regular expressions can be used to verify that accurate information was entered. For example, if we wanted to check for an email address we could do that by doing something similar to

    $isValidEmailAddr = ereg('^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$', $_POST['Email']);

    if this is true, then we have a valid email address. Just remember, that not all regular expressions are created equally.

• Add a free CAPTCHA to prevent being flooded with spam. Add this little captcha at the end of the form and if it’s not entered correctly you will need to refill in all of the users old information into the form

To generate your MD5 and SHA-1 password hash, enter your text here:

What can I do make my passwords more secure?
One word: Salt. You want to salt all your hashes, and keep your salt private. A salt is equivalent to adding extra miscellaneous data to your user’s password. For example, according to Wikipedia:

Assume a user’s (encrypted) secret key is stolen and he is known to use one of 200,000 English words as his password. The system uses a 32-bit salt. The salted key is now the original password appended to this random 32-bit salt. Because of this salt, the attacker’s pre-calculated hashes are of no value. He must calculate the hash of each word with each of 232 (4,294,967,296) possible salts appended until a match is found. The total number of possible inputs can be obtained by multiplying the number of words in the dictionary with the number of possible salts:

2^(32) * 200 000 = 8.58993459 * 10^(14)

To complete a brute-force attack, the attacker must now compute about 800 trillion hashes, instead of only 200,000. Even though the password itself is known to be simple, the secret salt makes breaking the password radically more difficult.

So, how do I salt my password?
Easy, just append any string, either at the beginning or end of the user’s password. Just remember, the most important factor is to keep it secret, do not share it with anyone! Let’s assume the following is my PHP code

$salt = 'fenfnk4n2kt4$#%$%&l%URàEGMÜEWQTF4%©YRTesadssôd av  frH^%Ewqefty75$%^&*()(765432';
$hash = md5($salt . $_POST['password']);

Now everytime a user submits there password you can append this password, at the front, end or even both. An added benefit to generating a hash using the above function call is when comparing this value to the one in your database, your value will be returned with raw_output set to false. This means that it will return a 32bit hexadecimal digits (ie: only the numbers 0-9 and the letters a-f) with no special sql characters trying to cause some damage via a nasty sql injection.

What is hashing?
To put it simple, hashing was created to be a one-way encryption. Of course there’s no such thing as secure in this day in age, especially with brute force crackers out there. Ideally, hashing is done so that there is no way to recover the password, a good example is like taking a digital hammer which smashes a string exactly the same way each and every single time. For example, if we were to take this digital hammer and try and create a MD5 hash for 123Password we would get d54b609242c7d758f6daca654bda1d26 every single time. If we were to add a space in the middle any other character for that matter it would "break" in a completely different pattern, for example 123 Password would create the following hash: ffeefad21f5f4a9f2b44992342d551ba. As you can see adding one space between 123 and Password created a completely different encryption key.

How to generate a MD5 and SHA1 hash in PHP:

1
2
3

$password = 'MySup3rSecretPassw0rd';
$md5Hash = md5($password);
$sha1Hash = sha1($password);

How to generate a MD5 and SHA1 hash in MySQL

1

SELECT md5('MySup3rSecretPassw0rd'), sha1('MySup3rSecretPassw0rd') LIMIT 1;

How to generate a MD5 and SHA1 hash in binary using MSSQL. Remember, this is a binary output, not hex.

1

SELECT HashBytes('MD5', 'password'),HashBytes('SHA1', 'password') LIMIT 1;

bool mail  ( string $to  , string $subject  , string $message  [, string $additional_headers  [, string $additional_parameters  ]] )

The first thing we see is that the mail function returns a bool, or boolean. So every time this function is run it will either tell you whether it was successfully sent or not. Now I want to be careful here, just because the message has been sent does not mean that the message ever made it to the users mailbox. The message could bounce back because you entered the wrong address, it was flagged as spam, the email address doesn’t exist anymore, etc… This is kind of like mail with the post office, just like when you put a stamp on a letter and mail it, you can say that the message was sent, but it doesn’t mean the message will ever be received.

$to = "noreply@brangle.com";
$subject = 'Test Message with the Mail() command';
$message = "Lorem ipsum dolor sit amet, consectetur
     adipisicing elit, sed do eiusmod tempor incididunt ut labore
     et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud";

if (mail($to, $subject, $message)) {
   echo 'Your message was sent!';
} else {
   echo 'Your message failed to send!';
}

If you were to execute the above script it would send an email to noreply@brangle.com and everything would be honkey dorey. But now what if we wanted to improve on it and add some HTML, then we’re going to need the modify the headers of the message. It’s also important to note, that I am using only \n and not \r\n this is for a variety of reasons, particularly GMail.

Using the $message variable

$headers  = 'MIME-Version: 1.0' . "\n";
$headers .= 'Content-type: text/html; charset=UTF-8' . "\n";
$headers .= 'To: John Doe <john@example.com>, Jane Doe <jane.doe@example.com>' . "\n";
$headers .= 'Cc: babydoe@example.com' . "\n";
$headers .= 'Bcc: brangle-archive@example.com' . "\n";
$headers .= 'From: Brangle.com Webmaster ' . "\n";
$headers .= 'Reply-To: webmaster@example.com' . "\n";
$headers .= 'Return-Path: webmaster@example.com' . "\n";
$headers .= 'X-Mailer: PHP/' . phpversion() ."\n";

So I entered a whole bunch of headers above, but they’re 4 headers which you should always use, even if your only sending text, and they are: Content-Type, From, Reply-To, Return-Path header. If you want to send your email in HTML then you absolutely need to include the Content-Type header. Now unless your sending email in some Asian languages then UTF-8 should always work for you, but please correct me in the comments if I’m wrong. If you forget to send the envelope from address in the headers then the PHP mail() function will automatically do this for you without you even knowing, the problem is what if it grabs the wrong email address, or even a non-existant email address?!? That’s why we want to explicitly define it. You can check your PHP.ini file to see who your email is defaulted from and change it there if you’d like, but if you’re like me and don’t have access to this file then the easiest way is to create the following php file…

<? phpinfo(); >

Now visit this file on your webserver and search for sendmail_from this will tell you who all your email is "sent from." Now continuing on, you can easily remove any line from the php headers that I outlined above without any PHP parsing errors.

if you want to send my message with a high priority, then just add the following headers:

$headers .= 'X-Priority: 1 (Highest)' . '"\n";
$headers .= 'X-MSMail-Priority: High\n' . '"\n";
$headers .= 'Importance: High' . '"\n";

For more advanced users…
I think you should always log all outgoing emails, either to a text file or to your database, now these emails are just for archival purposes and can probably be flushed (deleted) within 90 to 365 days, or whenever you deem necessary. When you generate an email to send, you should log the email id number and include it in the email message that way if a user emails you back about an email they received you can go back and look at what exactly you sent.

If you have a flaky email server, I would recommend changing your web host, I have used DreamHost for several years and have never had a problem with them. But now for the rest of you out there who refuse to change your webhost, I can think of only one recommendation. But since this is a tutorial on how to use the mail() function, I’m only going to provide some psuedocode. If there’s enough request, I could develop this into a full fledged tutorial, but until then…

$i = 0;
while (!mail($to, $subject, $message, $headers)) {
   sleep(10); //this will sleep for ten seconds
   $i++;
   if ($i >= 3) {
      //perform a sql insert with the following values $to, $subject, $message, $headers, time()
      //This will allow you to save the email in your database where you can create a cron job
      //to execute a query ever hour or so until your mail server is back up, and when it is sort
      //thru all those emails and send them out and flush them from the database.
   }
}
echo 'You should receive your email within 24 hours';

One important thing to remember for all webmasters to note, if you have a flaky mail server and you feel like you have a reputable hosting provider then the issue may be the amount of emails that you are allowed to send daily. Many hosting providers put a cap on the number of mail() function calls you can make in a day, you should definitely look into this.