CODEWITHSUNDEEP
phpsendmailmalformed
I_miss_Steve_already
I_miss_Steve_already

Reputation: 251

Email header is "malformed" when using sendmail command from php. Why?

I'm having trouble with a sendmail command.

I'm pulling the values out of a database call, and they look good. The mail command looks like this:

sendmail(urldecode($row['tracker']),urldecode($row['recipient']),urldecode($row['docurl']),urldecode($row['last_accessed']));

function sendmail($vtracker,$vrecip,$vrawurl,$viewed){
    $to = $vtracker;
    $subject = $vrecip . " has viewed the presentation you sent them.</br>";
    $body= "Full document url:  " . $vrawurl . "<br/>".
    "Time and Date Viewed:  :" .$viewed ;

    if (!mail($to, $subject, $body)) {
       echo("<p>Message delivery failed...</p>");
    }
}

I echoed all the variables and they look ok:

$vtracker:  Bob ;
$vrecip : [email protected] ;
$vrawurl : https://docs.google.com/a/advetel.com/present/edit?id=0Ac_KwUsBMiw8ZGN2Z3N3cDlfMTc3c2Jubng0Z2Q ;
$viewed : Mon, 20 Feb 2012 10:36:22 CST ;

I'm getting an error (retrieved from the error log on the server) that looks like this. 

[error] [client 66.249.68.23] File does not exist: /var/chroot/home/content/m/3/s/m3sglobal/html/broadband/missing.html
[Tue Feb 21 20:17:15 2012] [error] [client 70.113.8.83] Failed loading /usr/local/zo/4_3/ZendOptimizer.so:  /usr/local/zo/4_3/ZendOptimizer.so: undefined symbol: empty_string
[Tue Feb 21 20:17:17 2012] [error] [client 70.113.8.83] malformed header from script. Bad header=/home/content/m/3/s/m3sglobal/: Nitrofill_Presentation.php

Why is the header "malformed"?

Upvotes: 0

Views: 1985

Answers (1)

sarnold
sarnold

Reputation: 104080

I think it wouldn't hurt to spend a bit more time with RFC 2822.

Your to field is populated with Bob. That it not a legal address. The format of valid email addresses is quite complicated but these days, addresses generally are of the form localpart@domain. (Older formats that allowed delivery to UUCP addresses via % username specifiers or ! bang-paths are often not supported; further, username@[<ip address>] may or may not be supported on different servers or configurations. In general, there must be an @ in an email address to separate the local part from the domain.)

You also appear to be using user-supplied data without any confirmation that it isn't performing header injection attacks. (See also the suhosin project's documentation about suhosin.mail.protect.)

Your subject field includes a </br>, which is pointless, since the Subject: header is interpreted as plain text. This field also appears to be using raw data supplied by the database.

The message body also includes the </br>, which is pointless, since your message does not include any MIME markup to indicate the presence of text/html content.

Upvotes: 1

Related Questions