I have an Ajax form that sends an E-Mail after is has been successfully submitted. That works without any problems in my local environment. As I plan to go live with the page, I need to add some form of sanitation for the data coming from the form, mainly to prevent mail header injections.
For that, I use the following function:
// see http://www.erich-kachel.de/?p=26 for details
function QB_SECURE_MAIL_PARAM($param_ = '', $level_ = 2) {
unset($filtered);
/* replace until done */
while ($param_ != $filtered || !isset($filtered)) {
if (isset($filtered)) {
$param_ = $filtered;
}
$filtered = preg_replace(
"/(Content-Transfer-Encoding:|MIME-Version:|content-type:|" .
"Subject:|to:|cc:|bcc:|from:|reply-to:)/ims", "", $param_);
}
unset($filtered);
if ($level_ >= 2) {
/* replace until done */
while ($param_ != $filtered || !isset($filtered)) {
if (isset($filtered)) {
$param_ = $filtered;
}
$filtered = preg_replace(
"/(%0A|\\\\r|%0D|\\\\n|%00|\\\\0|%09|\\\\t|%01|%02|%03|%04|%05|" .
"%06|%07|%08|%09|%0B|%0C|%0E|%0F|%10|%11|%12|%13)/ims", "", $param_);
}
}
return $param_;
}
As an example, the following snippet is given:
$headers = "From: " . QB_SECURE_MAIL_PARAM($from);
mail(QB_SECURE_MAIL_PARAM($recipient),
QB_SECURE_MAIL_PARAM($subject),
QB_SECURE_MAIL_PARAM($message, 1),
$headers);
In my code, that looks like this:
$email = QB_SECURE_MAIL_PARAM( $email );
$name = QB_SECURE_MAIL_PARAM( $name );
$message = QB_SECURE_MAIL_PARAM( $message , 1 );
$header = "MIME-Version: 1.0" . "\r\n";
$header .= "Content-type: text/html; charset=utf-8" . "\r\n";
$header .= "Content-Transfer-Encoding: quoted-printable" . "\r\n";
$header .= "Reply-To:" . $email . "\r\n";
$header .= "From: myForm <noreply@form.net>" . "\r\n";
mail ( "my.mail@mail.com" , "You have a message from " . $name . " waiting for you" , $message , $header );
The mail gets send, but in AJAX the error event gets triggered. Why?
I repeat: Without the QB_SECURE_MAIL_PARAM function everything works, so the problem has to be there.
May be some problem with the Mime-Version