Click here to Skip to main content
15,947,389 members
Please Sign up or sign in to vote.
1.44/5 (2 votes)
See more:
while i am trying to send mail this error ocuures.

Warning: mail() [function.mail]: Invalid Address
on line 88

Message sent Error!
// line no. 88 is if(mail($email,$subject,$html,$headers))


//require_once "Mail.php";
$email = '';
$email = $_POST["visitormail"];
if(($_POST["visitor"] == "") || (($_POST["visitormail"] == "")))
    if($_POST["visitormail"] == "")
        echo "Vennligst fyll du navnet <br>";
    if($_POST["visitormail"] == "")
        echo "Fyll venns epost  <br>";
    <a href="mail123.php" style="color:black;">Tilbake</a>
<?php }
$text = 'From pritamsp';
$sitename = '';
$sitename = str_replace("/sendeail.php","",$_SERVER["REQUEST_URI"]);

$purl = $_POST['httpref'];
$subject ='From pritamsp';

$html = '<html><body>'.$_POST["notes"]."<br>"."<a href='".$purl."'>".$purl.'</a></body></html>';

        $headers = "From: ppppppppp <" . $from. ">\r\n";
        $headers .= "Reply-To: ". $from . "\r\n";
        //$headers .= "CC:\r\n";
        $headers .= "MIME-Version: 1.0\r\n";
        $headers .= "Content-Type: text/html; charset=ISO-8859-1\r\n";
         echo("<p>Message successfully sent!</p>");
  } else {
      echo("<p>Message sent Error!</p>");
Updated 4-Dec-21 23:51pm
Sergey Alexandrovich Kryukov 8-Feb-12 3:03am    
Great! I hope you did not deploy it anywhere. Because I'm going to save your... well, your skin from a pretty big disaster you are inviting. :-)

Please see my answer.

1 solution

There are two problems here.

You get your "To" header from $_POST["visitormail"], which is the e-mail address typed by your visitor in the form and processed by your PHP code without any validation.

First, how do you know that was a valid and existing address? If this address is wrong, no wonder you have that error.

There is more important and dangerous thing. You approach (I mean lack of proper validation and filtering) is way too dangerous.

Attention! A big security flaw is explained here!

I will explain schematically what some people do to find an exploit for their malicious activity.

Imagine you have in your input:
[new line]
BCC: [a million of addresses to spam]

This is the way to inject a BCC header line. Trivial, isn't it? You would not even see how your host is turned into a zombie sending spam, or something like that.

You can tell that you provide only one input line using a text box (input element with the type text), so entering the new line characters is not possible.

OK, great, your form knows about it, but HTML "post" method does not know about your form. :-)
Are you getting it?

Of course, this is not possible with the manual operation with the form. But programmatically, I would fake your form in few minutes and implement the hack I explained before. If you use AJAX, I would fake your AJAX as well. I actually did something like that to test my own Web site and some of our company Web sites for security holes. It was easy. Each and every action performed on the client side can be more or less easily faked.

So, you should do simple thing: inspect all the headers for any deviation from the expected pattern. You should also check up the referral of the post and do some other relevant checks. Internally, report the attempts of any suspected malicious activity.

Investigate such cases. I did that and caught such attempts from time to time. This is the ugly fact of our life.

Share this answer
CRDave1988 8-Feb-12 3:22am    
Sergey Alexandrovich Kryukov 8-Feb-12 3:29am    
Thank you.
Espen Harlinn 8-Feb-12 9:16am    
Sergey Alexandrovich Kryukov 8-Feb-12 10:18am    
Thank you, Espen.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900