php script help (mailer w/attachment)

[whispers]

First time using an attachment script.. usually just normal 'mailer script'..


so found this on the net.. while a bit 'clunky' for me to understand

(use to just defining the message/body in a var..and sending int he mail() function...)

these different MIME sections for text, html and mix content ... is a bit confusing..

but anyways..

cobbled together.. and edited.. it 'does' work.. sends correct text, send correct attachment/image (it opens and looks fine too)..

HOWEVER... when I send itto my buddy to use on his domain (it was for him originally) it doesnt seem to work.. send any mail...nothing.

in Flash when I trace things out.. I just get the failed response..

here is the script.

PHP Code:

<?php

$userName=$_POST["userName"];
$userEmail=$_POST["userEmail"];
$userOrder=$_POST["userOrder"];
$recipientEmail=$_POST["recipientEmail"];
$targetImage=$_POST["targetImage"];
$partList=$_POST["partList"];

//define the subject of the email
$subject = 'Some Subject Here';
//create a boundary string. It must be unique
//so we use the MD5 algorithm to generate a random hash
$random_hash = md5(date('r', time()));
//define the headers we want passed. Note that they are separated with \r\n
$headers = "From: XXX-Mailer\r\nReply-To: xxx@emailDomain.com";

//add boundary string and mime type specification
$headers .= "\r\nContent-Type: multipart/mixed; boundary=\"PHP-mixed-".$random_hash."\"";

//read the atachment file contents into a string,
//encode it with MIME base64,
//and split it into smaller chunks
$attachment = chunk_split(base64_encode(file_get_contents($targetImage)));

//define the body of the message.
ob_start(); //Turn on output buffering
?>

--PHP-mixed-<?php echo $random_hash; ?> 
Content-Type: multipart/alternative; boundary="PHP-alt-<?php echo $random_hash; ?>"

--PHP-alt-<?php echo $random_hash; ?> 
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

--PHP-alt-<?php echo $random_hash; ?> 
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit


<p>Someone has sent you an image image to check out!</p>

<b>From: </b><?php echo $userName; ?></p>
<br>
<b>Email: </b><?php echo $userEmail; ?>
<br>


--PHP-alt-<?php echo $random_hash; ?>--

--PHP-mixed-<?php echo $random_hash; ?> 
Content-Type: image/png; name="imageName.png" 
Content-Transfer-Encoding: base64 
Content-Disposition: attachment 

<?php echo $attachment; ?>
--PHP-mixed-<?php echo $random_hash; ?>--

<?php
//copy current buffer contents into $message variable and delete current output buffer
$message = ob_get_clean();
//send the email
$mail_sent = @mail( $recipientEmail, $subject, $message, $headers );
//if the message is sent successfully print "Mail sent". Otherwise print "Mail failed"
echo $mail_sent ? "&mailStatus=sent" : "&mailStatus=failed";
?>

Im not sure where to even BEGIN to troubleshoot this??? Seems to be a domain thing..?? maybe a php.ini setting of some kind?

maybe the script sucks.. and its throwing errors??


update: maybe this has something to do with pointing me to the right direction..

searching MY domain..I noticed an error log/file..

has a warning in it:

PHP Warning: file_get_contents() [<a href='function.file-get-contents'>function.file-get-contents</a>]: Filename cannot be empty in /home/userName/public_html/directoryName/phpMail_edited2.php on line 30

which is this line I believe:
$attachment = chunk_split(base64_encode(file_get_contents($targe tImage)));

but its 'not' empty..

thanks for any help!

-w

[Musicman]

Hi,

if I understand this right, your movie sends the filename of an image that should be mailed as an attachment, and that resides in the same folder (or could potentially reside in the same folder). A slight word of warning: somebody could decide to have the contents of the php script (or some other files on your server) mailed to him, by calling the script from a html form

Could you post (or pm) both addresses (and instructions how to use, if necessary) for a remote test?

Musicman

[whispers]

Hi Musicman-

thanks for the reply..

the 'other' server issue has been rectified.. (Im going to call it a user error..on him!) lol

however.. I would like to learn more about making this script more secure?

such as NOT being able to call.send other data/files as the attachment.. but only image files.. or even just .png's as I believe thats all these are..

[Musicman]

Hi,

to start simple: it seems to make sense to place the images in a folder of their own. Now if flash just sends the image name, and the server side script opens "images/$targetImage" instead of just $targetImage, there is obviously no need for slashes in the file name.

Code:

if(ereg("/", $targetImage))
{   echo "&mailStatus=failed"; exit;
}

The ereg can do quite a lot of things, like

Code:

if(!eregi("^[A-Z0-9]+.(jpg|png)", $targetImage)) ...

It can get a bit harder if you need to support slashes (the images are spread over a folder hierarchy, and the depth is not constant). In thiscase you cannot just ban slashes, but you would need to check for the ../ sequence that could be used to go outside that folder tree

Musicman

[whispers]

HI-

it 'is' the full URL that is being sent/used..

but,..I believe it is the same 'path', more or less, each time..(outside of the specific image name at the end of the hierarchy/path)