In your code you probably don't see the $header portion. You have
mail("me@mysite.com","Form","Data:
where
$to is manually set to "me@mysite.com"
$subject is manually set to "Form"
$txt is manually set to "Data:.....{all your form data}
")
After the ending " for the data section add a comma and $headers like this
",$headers)
Somewhere before the mail() function create the
$headers="From: webmaster@example.com" . "\r\n" .
"CC: somebodyelse@example.com";
There are many other examples on the web for PHP mail() function header syntax.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Thank you for your reply. I appreciate it very much. I did follow your example and form is working OK.
1. Are there any security concerns about using CC or BCc headers? Can hackers exploit this?
2. How about "From" header? I think I have read somewhere that host might consider message spam if header "From" is used.
3. Can message be sent to email outside site like example@yahoo.com?
4. Can you please take a look at script and confirm that the code is OK? Thank you.
1.)Hackers will only exploit something if it benefits them. I tell people all the time to ask themselves this question before considering security. "What do I have that people want?". If you have an answer then you need to consider protecting this thing, whatever it might be. Email form hacking can be exploited. I suggest you do one of two things at the moment. Use the Captcha feature, or do nothing and apply security when you detect some type of abuse.
2.) As long as you control the email header fields and you are not allowing the header to be populated by form fields then you have nothing to worry about.
$headers .= ""
is usually reserved for appending to a previously defined
$headers = ""
"=" comes before ".="
2a.) The use of $headers should define the basic From: field as well as any other if you are going to use it.
$headers = 'From: email@url.com' . "\r\n";
$headers .= 'Cc: boss@example.com' . "\r\n";
3.) You can send a message to and from any address you want. The server will always attach a record of the mail server the message comes from. Some header modifications will cause your mail to be rejected based on some spam filters. For instance the email is From: email@yahoo.com but the server that sent it is xyz.com (totally unrelated domains). This appears to be spam by some standards.
4.) See the comments above.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
How can I have form input sent to 2 different receipt on same web site? How can I add Cc: or Bcc: to processor.php? V3.0
<?php
$where_form_is="http://".$_SERVER['SERVER_NAME'].strrev(strstr(strrev($_SERVER['PHP_SELF']),"/"));
session_start();
if( ($_SESSION['security_code']==$_POST['security_code']) && (!empty($_POST['security_code'])) ) {
mail("me@mysite.com","Form","Data:
Thank you.
From:
http://www.w3schools.com/php/func_mail_mail.asp
Most basic example:
Example 2
Send an email with extra headers:
<?php
$to = "somebody@example.com";
$subject = "My subject";
$txt = "Hello world!";
$headers = "From: webmaster@example.com" . "\r\n" .
"CC: somebodyelse@example.com";
mail($to,$subject,$txt,$headers);
?>
In your code you probably don't see the $header portion. You have
mail("me@mysite.com","Form","Data:
where
$to is manually set to "me@mysite.com"
$subject is manually set to "Form"
$txt is manually set to "Data:.....{all your form data}
")
After the ending " for the data section add a comma and $headers like this
",$headers)
Somewhere before the mail() function create the
$headers="From: webmaster@example.com" . "\r\n" .
"CC: somebodyelse@example.com";
There are many other examples on the web for PHP mail() function header syntax.
Hi TNTEverett,
Thank you for your reply. I appreciate it very much. I did follow your example and form is working OK.
1. Are there any security concerns about using CC or BCc headers? Can hackers exploit this?
2. How about "From" header? I think I have read somewhere that host might consider message spam if header "From" is used.
3. Can message be sent to email outside site like example@yahoo.com?
4. Can you please take a look at script and confirm that the code is OK? Thank you.
<?php
$where_form_is="http://".$_SERVER['SERVER_NAME'].strrev(strstr(strrev($_SERVER['PHP_SELF']),"/"));
$headers .= 'Cc: boss@example.com' . "\r\n";
mail("webmaster@example.com","Contact Requested","The following form has been submmited:
Name: " . $_POST['field_5'] . "
Company Name: " . $_POST['field_6'] . "
City: " . $_POST['field_7'] . "
State: " . $_POST['field_8'] . "
Zip Code: " . $_POST['field_9'] . "
Phone: " . $_POST['field_10'] . "
Fax: " . $_POST['field_11'] . "
E-mail: " . $_POST['field_12'] . "
Message: " . $_POST['field_14'] . "
",$headers);
include("thank_you.htm");
?>
1.)Hackers will only exploit something if it benefits them. I tell people all the time to ask themselves this question before considering security. "What do I have that people want?". If you have an answer then you need to consider protecting this thing, whatever it might be. Email form hacking can be exploited. I suggest you do one of two things at the moment. Use the Captcha feature, or do nothing and apply security when you detect some type of abuse.
2.) As long as you control the email header fields and you are not allowing the header to be populated by form fields then you have nothing to worry about.
$headers .= ""
is usually reserved for appending to a previously defined
$headers = ""
"=" comes before ".="
2a.) The use of $headers should define the basic From: field as well as any other if you are going to use it.
$headers = 'From: email@url.com' . "\r\n";
$headers .= 'Cc: boss@example.com' . "\r\n";
3.) You can send a message to and from any address you want. The server will always attach a record of the mail server the message comes from. Some header modifications will cause your mail to be rejected based on some spam filters. For instance the email is From: email@yahoo.com but the server that sent it is xyz.com (totally unrelated domains). This appears to be spam by some standards.
4.) See the comments above.