1

I have a form that sends data to the script below. It's supposed to send a message from the person specified in the form's emailaddress. Instead, I get it coming from a strange email address from my hosting company. I've checked the php over and over again and can not find out where the issue is. The email does send... just from the wrong address...

<?
// set recipient email
$mymail = "thelamp.website@yahoo.com";

// get information from form
$name = $_POST['firstname'] . " - " . $_POST['lastinitial'];
$email = $_POST['emailaddress'];
$multiplemail = $mymail . ", " . $email;
$message = $_POST['testimonial'];
$message = wordwrap($message, 200, "\r\n");
$subject = "Testimonial Submission:  ";
date_default_timezone_set('US/Eastern');
$body = "Date:  " . date('m-d-Y') . " - Time:  " . date('h:i:s A e') . "\n Name:  " . $name . "\n eMail:  <" . $email . "> \n wrote:  \n" . $message;
$headers = "To:" . $email . ", " . $mymail . ", From:" . $email;

// check the eMail!
$emailB = filter_var($email, FILTER_SANITIZE_EMAIL);
if (filter_var($emailB, FILTER_VALIDATE_EMAIL) === false || $emailB != $email)
    {

// Display error message!
        echo "This eMail adress that you entered in the form is invalid!  Please go back and enter a correct eMail address!";

// Exit the checking scriptlet!
        exit(0);
    }
else
    {
        if(!mail($multiplemail, $subject, $body, $headers))
            {
// Testimonial was NOT sent
                die ("Testimonial could not be sent!  Please try again later!");
            }
        else
            {
// Testimonial was successfully sent
                ?><meta http-equiv="refresh" content="0; URL=thankyou.html"><?
            }
    }

?>

Any help you can give me would be greatly appreciated. Thanks in advance.

William R Strong
  • 11
  • 3
  • It SHOULD have the data from $email as the FROM email address. It sends from XXXXX@main-hosting.eu. Does that mean the error is with my hosting company? Or, is it something I can take care of in the php code above? – William R Strong Nov 03 '20 at 23:06
  • Looks you are attempting to send an email from an email address which is not registered on your hosted domain. This will end up showing the default email address for the domain. – SJacks Nov 03 '20 at 23:07
  • Would it be something that the hosting could do to correct this? Like changing the default email address to "" so that there is NO default? – William R Strong Nov 03 '20 at 23:21
  • Malformed Header doesn't help. `This is typically used to add extra headers (From, Cc, and Bcc). Multiple extra headers should be separated with a CRLF (\r\n). ` – Progrock Nov 03 '20 at 23:24
  • No it's standard procedure because you are using the internal mail system on your host so all from addresses will be from that domain's server. Instead I would create a reply to field and for the from address one you have created on your host like system @ wherever dot com or notifications @ wherever dot com. – SJacks Nov 03 '20 at 23:26
  • Is there any php that could fix the issue? I really need it to send a message to me and the sender FROM the sender. I have tried to change the variables $email and $mymail but nothing changes who it's coming from. – William R Strong Nov 03 '20 at 23:29
  • Personally I'd stick with a valid server from address. Just add their email into the form message. – Progrock Nov 03 '20 at 23:31
  • @WilliamRStrong did you try using valid headers? – Progrock Nov 03 '20 at 23:31
  • If I do that, when I click on the reply, it'll try to send it to the server's email address (which I can't receive.) – William R Strong Nov 03 '20 at 23:32
  • You can add a reply-to header. – Progrock Nov 03 '20 at 23:33
  • 1
    Currently it looks like you are open to header injection attacks. – Progrock Nov 03 '20 at 23:34
  • To avoid showing the default email account you need to create a custom email address on your host! Call it something like notifications @ yourdomain . com - this will be the (real) from address. For the user to reply to the sender, either create a reply to field with the user generated email in it or add the user generated email to the body with some text like "click here to reply" then the email. – SJacks Nov 03 '20 at 23:36
  • As @Progrock says you are wide open to abuse. None of your post data is protected. it needs to be sanitized. Look into mysqli_real_escape string and prepared statements. – SJacks Nov 03 '20 at 23:42
  • Progrock, What is invalid from my headers? – William R Strong Nov 03 '20 at 23:42

0 Answers0