abhinav dixit
abhinav dixit

Reputation: 251

Not able to use IMAP search

My email id have email with subject line "=?UTF-8?Q?=e2=99=a3?= Styles =?UTF-8?Q?=e2=99=a3?=" Now I want to use imap_search to search email with this subject line. But I am getting an error-:

Notice: Unknown: Unknown search criterion: STYLES (errflg=2) in Unknown on line 0

Below is search code I am using:

    $ToSearch=trim("=?UTF-8?Q?=e2=99=a3?= Styles to Freshen Up Your Home =?UTF-8?Q?=e2=99=a3?=");
        $unreadEmails= imap_search($loginToInbox,'SUBJECT  '.$ToSearch.' SINCE '.$dateToSearch.'');
var_dump($unreadEmails);

how can I search email with subject line.

Upvotes: 0

Views: 1279

Answers (2)

Jan Kundrát
Jan Kundrát

Reputation: 3816

The code is extremely dangerous -- it contains "IMAP command injection", similar to SQL injection you would get if you passed user-controlled data straight into your SQL database.

You absolutely have to sanitize the user-provided data before you feed them into the IMAP connection. Read RFC3501, see how strings can be transmitted, find out whether PHP's imap_search can do something for you for free (when it comes to literals, you do not want to handle them from the application code), and make sure you only pass sanitized data to the server.

The current version of code is vulnerable to grave mistakes; an attacker can delete all e-mails through that.

Upvotes: 0

Gigi
Gigi

Reputation: 29521

It seems pretty clear to me: it's tripping on the word "Styles". That's because there's a space so it thinks there should be a new IMAP keyword. Try enclosing it in quotes:

$unreadEmails = imap_search($loginToInbox,'SUBJECT "'.$ToSearch.'" SINCE '.$dateToSearch);

You'll also have to be careful with that $dateToSearch - you'll probably have to enclose it in quotes as well, and also make sure it's in the format that the server expects (most likely RFC2822 - see section 3.3, Date and Time Specification. See this other question for an example of what it should look like.

Upvotes: 1

Related Questions