Try this lot:

$headers = "From: \"".$from_name."\" <".$from_email.">\n";
$headers .= "To: \"".$to_name."\" <".$to_email.">\n";
$headers .= "Return-Path: <".$from_email.">\n";
$headers .= "MIME-Version: 1.0\n";
$headers .= "Content-Type: text/HTML; charset=ISO-8859-1\n";

It's been a while since I've used it, but I believe the formatting of the 'from' and 'to' headers is particularly important. I've also read that the inclusion of some X headers can be a problem, so best to leave them out unless you have a very good reason not to.

If you're sending from a Windows box, \n linefeeds should be replaced with Windows linefeeds.

Thanks for the reply!

Is it necessary to have a TO header, as you already declare the TO email address and place it in the mail() function

As well as that, like I said it sends the email through to my home email but not my work email. Could this be caused the content of the actual email and spam filters being used at work?

Thanks

You shouldn't *need* to. This is just what worked for me. If you do, use:

mail('', $subject, $message, $headers);

Yes, it's obviously some kind of filter, and if you rule out the headers, then it's got to be the content.

Thanks, I've got it to send but there's a big delay.

It takes around 5-10 minutes to receive the email after its been sent? What do you think could be causing this problem?

Just annoying as I'm kept waiting to see if the email comes through ok

that is more than likely an ISP or mail provider issue, not much you can do about it unfortunately. Either the sending or receiving mail server is delayed I would imagine.

you don't need quotes (""), around the email name and address in the header fields. At least I've never used them.

I did a lot of testing on various mail clients a couple of years ago, and Freeserve and BT Openworld's (two of the bigger UK ISPs) webmail clients at the time rejected messages as malformed if the quotes weren't included.

DaSingh, and others who read this thread:
the example given by JetBoy is vulnerable to email injection attacks. Any variables that are put in the headers - without a very very good filtering - of the mail can be misused to hack your form! This is a problem that's spreading fast and is being discussed on a lot of forums, also on this one: [webmasterworld.com ].

It's a very serious problem. Your contact/email form can be used to send spam-emails to hundreds or thousands. Not only annoying, but your domain risks being banned/shut down.

[edited by: ergophobe at 4:51 pm (utc) on Sep. 25, 2005]
[edit reason] made link active [/edit]

I have taken out the 'TO' part of the header as I didnt need this. I have changed my script to run through a DB to out email addresses.

Would this still apply if I use variables for the 'FROM' part of the header?

I've copied in my new script:

$from_email = "test@test.co.uk";
$from_name = "TEST EMAIL";

//headers for the email
$headers = "From: \"".$from_name."\" <".$from_email.">\n";
$headers .= "Return-Path: <".$from_email.">\n";
$headers .= "MIME-Version: 1.0\n";
$headers .= "Content-Type: text/HTML; charset=ISO-8859-1\n";
// subject for email
$subject = stripslashes($_POST['email_subj']);

$sql = "select * from test_email_add";
connect_db();
$res = mysql_query($sql);
$no_res = mysql_num_rows($res);
$counter = 0;

while ($counter < $no_res) {
$row = mysql_fetch_array($res);
// recipients pulled out from sql query
$client_to = stripslashes($row['test_email']);
// personalised message
$message = create_msg(stripslashes($row['test_name']));
mail($client_to, $subject, $message, $headers);
$counter++;
}

Would something like this be vulnerable?

matthijs, who said anything about a form? Not me, and not DaSingh.

My code was originally used for mass-mailing from a database. No forms, and register globals was off. If you hook up any script - email or otherwise - to the outside world without comprehensively validating input server-side then you're asking for trouble.

Well, I saw

$client_to = $_POST['email_to'];
$subject = $_POST['email_subj']; 

in the examples, so that looks like something coming from a form doesn't it?
Please don't feel attacked by my post, it was just meant as a warning, as there's so much going on at the moment, with people being attacked all over the place.
If one retrieves data from a database a differnt kind of filtering/escaping needs to take place, you're correct about that.

My apologies; DaSingh's using a form and will need to validate the input if the form's included on a publicly accessible website.

Sorry for confusion guys

Previously I was using a form, but this was just to test to see if I was able to send mail but even this was on a secure server where the client had to be logged in to be able to access the webmail page

I've now changed it to have a form but all this is button which sends the mail which is already embedded in the php script

Apologies

We've gone a bit off topic here. jatar_k answered the email delay question, so all we need to know is whether your work email is picking up the mail you're sending ...

If not, your next step would be to have a word with your mail server admin, who should be able to shed a bit more light on things.

Hi,

Another nubee here but with the exact same problem which is doing my head in big time.

I can send a confirmation email to an admin address on the server. No probs - comes through every time - although the Return-Path is always 'nobody@...server'. I wonder if this is the problem? But the email NEVER comes through on a test using my pop3 accounts - with one exception (Tiscali.co.uk) who add anti-abuse headers to the mail.

I have searched the forums and tried all the recommendations but with no joy.

This is DEFINITELY NOT (in my case) a $variable value problem as I eliminated that by actually hard-coding one of my pop3 email addresses and the mail still never came through.

Contacted the hosting company (US) and they say it has nothing to do with the server settings, nor Exim4 - it is my script and that 'nobody@server..' will NOT cause this error.

So I am now totally confused!

Can anybody help me please? Getting quite desperate!

Here's a snippet of my code :-

$returnpath & $refid are previously declared in www......com format.
$subject = "Registration confirmation from $refid";
$Enquiry = "Hello " . $Name . ",";
$Enquiry.= "\n\nThank you for registering your details with " . $refid;
$Enquiry.= "\n\nYou may now log ...blah blah blah.... ";
$Enquiry.= "\n\nYour username is : " . $email;
$Enquiry.= "\n\nAnd your password has been set to : " . $pw;
$headers = "From: www.mydomain.com\r\n";
$headers .= "X-Sender: www.mydomain.com\r\n";
$headers .= "X-Mailer: PHP\r\n"; // mailer
$headers .= "X-Priority: 1\r\n"; // Urgent message!
$headers .= "Return-Path: $returnpath\r\n"; // Return path for errors

mail ($email, $subject, $Enquiry, $headers);

I have changed the domain name for obvious reasons!

I just do not understand why the emails come through to some accounts and not others.

Thanks for any light that can be thrown on this!

Underdog (Blacklab).

matthijs,
the WebmasterWorld URL you ref to goes to the members' only forum
As such I will not copy and paste from it
however I wish that "angryBinary" reads this post
he has a good idea (in the private forum)
Here is only the outline
<<<
check the referring page to keep someone from posting to a form processor without using the form you intended them to
>>>
that makes sense.

The referrer page is specified by the client, and therefore useless for access control.

henry, I didn't even know there were member only forums, sorry. However, I checked and I do not think the link I gave is on the "member" forums.

Matthijs linked to good old forum 88 - the PHP forum. There seem to be some strange issues with people being asked to log in to view posts in public and private forums. It's been happening to several of us - mods, members, supporters - some glitch.

Matthijs - FYI, there is a "Supporters Forum" that is for subscribers only.

<<<
The referrer page is specified by the client, and therefore useless for access control
>>>
Yes and not
it is checked vs an exisitng predefined one
therefore if dif then something's wrong

or do I miss the point?

ergophobe
I was leaded to the "Supporter's forum"
while using Opera if it matters..
Never occured before using IE