Important data:
- OS: Kali-linux-x86-64
- Server: apache lampp
- php version: 7.2.26
- mail script I use: ssmtp and sendmail
- Send to: hotmail (live)
I already have this configured here and recently I managed to make an email be sent through a php file, however before I could figure out why it was not working for me, it took almost 1 whole day to figure out why, and it was My fault for not looking at what content was being sent from the php variables to the sendmail script.
What I have is a simple file in php that through a form receives certain data with ajax and treats it to then send the mail through the php mail function:
<?php
header("Content-Type: application/json; charset=utf-8");
$resultado = ["resultado" => false];
$name = 'Nombre';
$email = '[email protected]';
$subject = 'Hola mundo!';
$message = 'Hola mundo desde el formulario!';
$terms = true;
//$name = $_POST['name'];
//$email = $_POST['email'];
//$subject = $_POST['subject'];
//$message = $_POST['message'];
//$terms = $_POST['terms'];
if($name && $email && $subject && $message && $terms){
//Treating data...
$name = trim($name);
$name = htmlspecialchars($name);
$name = stripcslashes($name);
$name = filter_var(FILTER_SANITIZE_STRING);
$email = trim($email);
$email = filter_var(FILTER_SANITIZE_EMAIL);
$email = filter_var(FILTER_VALIDATE_EMAIL);
$subject = trim($subject);
$subject = htmlspecialchars($subject);
$subject = filter_var(FILTER_SANITIZE_STRING);
$message = trim($subject);
$message = htmlspecialchars($subject);
$message = filter_var(FILTER_SANITIZE_STRING);
$terms = filter_var(FILTER_VALIDATE_BOOLEAN);
$mailHeaders = "From: $name<$email>" . "\r\n" . 'X-Mailer: PHP/' . phpversion();
//Sending the email...
$resultadoCorreoEnviado = mail($email, $subject, $message, $mailHeaders);
$resultado["resultado"] = $resultadoCorreoEnviado;
if (!$resultadoCorreoEnviado) {
$errorMessage = error_get_last()['message'];
$resultado["error"] = $errorMessage;
$resultado["name"] = $name;
$resultado["email"] = $email;
$resultado["subject"] = $subject;
$resultado["message"] = $message;
}
}
echo json_encode($resultado);
?>
As you can see, I commented on the 'dynamic' part where I receive the data from the form to test why it didn't work for me, and when printing the variables after being processed I realized the following:
The values it brings me are the following:
{
"resultado":false,
"error":null,
"name":"513",
"email":"274",
"subject":"513",
"message":"513"
}
This thing that it brings me and sends these values when doing mail(), I solved it in a very simple way and that is by removing the treatment and data sanitization that I am doing to the variables.
This makes me question... is there something I'm doing wrong with the sanitizing and filtering functions that I'm not seeing? Or is it because of the encoding...? What am I doing wrong? I find it very insecure to simply not use these features and throw security out the window.
Why is this and how can I fix it without affecting security too much?
The problem was quite simple, what happens is that the function
filter_var
needs 2 parameters:This function does not give errors since the second parameter is optional, this is because if we do not pass it then it takes as default the equivalent of not performing any filter.
I was applying filters and sanitization to the filter itself, and not to a variable, that was the drawback, that I had forgotten to include the variable: