Email errors if returns are added to textarea form field

maxwell_

I am having a problem displaying the message part of an email script, only if the user adds returns to the textarea field, I get this error.

Warning: Header may not contain more than a single header, new line detected. in /home/abonline/public_html/tutor_admin/public/computers/computers_publicaccess.php on line 139

If the message is typed with no returns the message gets through.

I tried changing this line

$report = $_GET['report_pubaccess'];

to this

$report = mysql_real_escape_string(stripslashes(trim($_GET['report_pubaccess'])));

which did not help.

This is the script

if(isset($_GET['report_pubaccess']) && $_GET['pub_access']){
$item = $_GET['pub_access'];
$upperCase = strtoupper($item);
$report = $_GET['report_pubaccess']; 
$from = 'max@testing.gov.uk';
$subject = 'Public Access computer problem reported:' . ' ' . $upperCase;


  $dbc = mysqli_connect('localhost', 'tutor', 'password', 'online') or die('Error connecting to MySQL server.');

  $query = "SELECT name, user_email FROM users";
  $result = mysqli_query($dbc, $query)
    or die('Error querying database.');

  while ($row = mysqli_fetch_array($result)){
    $to = $row['user_email'];
    $first_name = $row['name'];
    $msg = "Dear $first_name,\n\n$report";
    mail($to, $subject, $msg, 'From:' . $from);
    } 
}

dagon

the error does not relate to the email, you have a header() function call somewhere with a line break

johanafm

You should also NOT use \n but rather \r\n, which means that your \n\n should be \r\n\r\n.

Furthermore, each email header should be terminated by \r\n, which means that $from should end with \r\n which it presently doesn't. It's possible that PHP deals with adding this to the last header field (you only have one, so this is the last header field), but it doesn't hurt getting into the habit of forming proper header fields anyway. Also, this way you won't introduce any errors by adding additional header fields later on.

But what does /home/abonline/public_html/tutor_admin/public/computers/computers_publicaccess.php on line 139 and a bunch of lines before and after that look like?

maxwell_

The previous code is part of a redirect page which runs when the form is submitted.

This is the code on line 139 which is on the page that contains the actual form.

I have also added ob_start(); to the top of both pages.

$_def_soft_id = 1;
$_def_id = 9876;

 $_soft_id = isset($_GET['report_pubaccess']) ? $_GET['report_pubaccess'] : $_def_soft_id;
$_id = isset($_GET['pub_access']) ? $_GET['pub_access'] : $_def_id;

$_action = 'report_confirm_pub.php?pub_access=' . $_id . '&report_pubaccess=' . $_soft_id;

ini_set('display_errors', 1);
error_reporting(E_ALL);

$_action = ereg_replace( ' +', '%20', $_action );
header('Location:' . $_action);
  }

johanafm

Well, it would seem $action contains a newline ("\n") somewhere in the middle. Do you have a %0A in the original url? Either way, sanitize your input properly you should have no such issues.

ereg_replace is deprecated and should not be used and should always be replaced by preg_replace. However, since you aren't using regular expressions, you should actually use str_replace instead. Well, if it wasn't for the fact that you should url encode your parameter values and then leave it at that.

$_action = 'report_confirm_pub.php?pub_access=' . urlencode($_id) . '&report_pubaccess=' . urlencode($_soft_id);

If there is a \n somewhere in those variables, it will be transformed into %0A.

Then again, assuming both $id and $soft_id are supposed to be integers, if you just make certain that they are, then they will never contain anything that needs to be urlencoded and you could simply

$_id = (int) $_id;
$_soft_id = (int) $_soft_id
$_action = 'report_confirm_pub.php?pub_access=' . $_id . '&report_pubaccess=' . $_soft_id;

After that, you should also prepend http(s)://example.com/ to $_action since the location header takes a full absolute url.

maxwell_

Fantastic, I made the changes and there is no error message!

This is how my code now looks.

$_def_soft_id = 1;
$_def_id = 9876;

$_id = (int) $_id;
$_soft_id = (int) $_soft_id;

$_soft_id = isset($_GET['report_pubaccess']) ? $_GET['report_pubaccess'] : $_def_soft_id;
$_id = isset($_GET['pub_access']) ? $_GET['pub_access'] : $_def_id;


$_action = 'report_confirm_pub.php?pub_access=' . urlencode($_id) . '&report_pubaccess=' . urlencode($_soft_id);

ini_set('display_errors', 1);
error_reporting(E_ALL);


$_action = str_replace( ' +', '%20', $_action );
header('Location:' . $_action);

Thank you for helping me with this.

Best regards Maxwell

maxwell_

My form is now submitting without errors and I am happy with that.

However is there possibly a way to retain line breaks in the content of the textarea form field when it is echoed on to the web page?

I tried adding nl2br

$report = nl2br($row['report']);

I realize the newlines have previously been urlencoded, however is it perhaps possible to put them back in.

This is how my code looks

$dbc = mysqli_connect('localhost', 'online', 'pass', 'tutor')
      or die('Error connecting to MySQL server.');
   $query = "SELECT * FROM reportspub ORDER BY date DESC";
    $result = mysqli_query($dbc, $query)
	or die('Error querying database.');
while( $row = mysqli_fetch_assoc($result)){
	$id = $row['id'];
	$name = $row['name'];
	$report = nl2br($row['report']);
	$date = $row['date'];	
	$resolved = $row['resolved'];
	echo "<table align='center' border='0' width='95%' class='tablebg' cellspacing='0' cellpadding='3'><tr class='formlabels' height='40px' >
<td class='tl' width='35%'>&nbsp;&nbsp;&nbsp;&nbsp;<img src='../../images/Publicsmall.png' width='24' height='24' align='absmiddle' />
&nbsp;&nbsp;&nbsp;$name</td><td align='left' width='45%'><img src='../../images/vcalendarsmall.png' width='34' height='34' align='absmiddle' />
&nbsp;&nbsp;&nbsp;$date</td><td class='tr' width='20%'><strong>Resolved</strong> $resolved</td></tr>
	<tr><td colspan='3' class='paddcell'>$report</td></tr><tr bgcolor='FFFFFF' height='10px'><td colspan='3'></td></tr></table>";
	}

dagon

unsurprisingly the opposite of urlencode() is urldecode()

johanafm

Show the entire code involved in the flow from the form which submit the textarea to where you redisplay it.
urldecode shouldn't be necessary even if you have a textarea with newlines (\n) since
1. on form submit, if the method of the form is GET, the data is urlencoded. Thus \n becomes %0A before the browser sends the request to the server.
2. When you access $GET['your_textarea'], it has allready been automatically urldecoded so that %0A is once again \n.
3. If you want to create a URL for use in a link or header location redirect, you will however need to urlencode the URL's query string attributes and attribute values yourself (and htmlentities the URL for use in a link). That is, for
http://example.com/example.php?a1=v1&a2=v2
you have to urlencode a1, v1, a2 and v2. When that is done, if you are not only using it for a header location redirect, you should also apply htmlentities on the entire URL to turn & into & (or better yet, insert & in the URL to begin with)
4. But once again, when you access the $GET array on the target page, the contents of $_GET have allready been urldecoded automatically.

maxwell_

The method of the submitting form is GET
This is the code on my redirect page

if(isset($_GET['report_pubaccess']) && $_GET['pub_access']){
$item = $_GET['pub_access'];
$upperCase = strtoupper($item);
$report = $_GET['report_pubaccess']; 
$from = 'maxwell.web@lothian.gov.uk';
$subject = 'Public Access computer problem reported:' . ' ' . $upperCase;

   $dbc = mysqli_connect('127.0.0.1', 'root', 'root', 'abe')
   or die('Error connecting to MySQL server.');

  $query = "SELECT name, user_email FROM users";
  $result = mysqli_query($dbc, $query)
    or die('Error querying database.');

  while ($row = mysqli_fetch_array($result)){
    $to = $row['user_email'];
    $first_name = $row['name'];
    $msg = "Dear $first_name,\r\n\r\n$report";
    mail($to, $subject, $msg, 'From:' . $from);
   } 
}

  mysqli_close($dbc);

$url = 'computers_publicaccess.php';
header('Location: ' . $url);

johanafm

Since I have no way of knowing what's what, I'm assuming report_pubaccess is your textarea data.

maxwell@;10992128 wrote:

$url = 'computers_publicaccess.php';
header('Location: ' . $url);

You still aren't providing an absolute URL, which you must do with location header redirect (even though most browsers handle incorrect location headers).

Where is your textarea data supposed to be shown? If it's only in the email body then all you need to do is follow the email RFCs that define how an email must be formatted, see RFC 5322.

Are you aware that the email subject is actually an email header field? Are you aware that \r and \n (also known as CR and LF) are NOT allowed in header field bodies, most likely because each header field MUST end in CRLF and to make parsing simpler one is not allowed to exist without the other and never anywhere except for the purpose of ending a header field (or to allow folding)? Are you aware that not properly encoding your subject header field contents (i.e. $subject in your code) may allow the user to inject their own email headers? See 2.2. Header Fields of RFC5322 for more information.
In other words, since pub_access is data from an external source (meaning you have no control over what it will be - it could be anything) and you put this in the subject, you MUST properly sanitize it. Allowed characters have values in the decimal range 33-126 (printable US-ascii) along with 32 (space) and 9 (horizontal tab). You should strip anything else from the email subject, but it's extra important that you strip \r and \n since you otherwise run the risk of header injection.
Something like this would do

header('content-type: text/plain; charset=us-ascii');

# Set up a string of chars from 0-127, that is outside the acceptable range of
# email header field bodies which allow decimal 9, 32, 33-126.
# Expressed in hex, that is 0x9, 0x20, 0x21 - 0x7E
$s = '';
for ($i = 0; $i < 128; ++$i)
{
	$s .= chr($i);
}
# 128 characters in total
echo 'string lentgh: ' . strlen($s) . "\n";
# The string presently contain several non-printable characters, but viewing this
# in a browser will show either &#65533; or  in their places
echo '"'.$s.'"' . "\n\n";

# Strip all characters from the subject unless explicitly specified
# in the pattern
$p = '#[^\x09\x20-\x7E]#';
$s = preg_replace($p, '', $s);

echo 'string lentgh: ' . strlen($s) . "\n";
# Now the string contains only allowed characters
echo '"'.$s.'"' . "\n\n";
exit;

As for the email body, see section 2.3 of RFC 5322

CR and LF MUST only occur together as CRLF; they MUST NOT appear
independently in the body.

which means that any \n not directly preceeded by \r and any \r not directly succeeded by \n has to be replaced by \r\n (or stripped from the text, but that would remove the authors intended formatting).
Thus, to make certain your email body is ok

# The first pattern matches \r NOT followed by \n
# The second pattern matches \n NOT preceeded by \r
$p = array('#\r(?!\n)#', '#(?<!\r)\n#');
$s = preg_replace($p, "\r\n", $s);

Or is the text area data suppose to be shown anywhere else?

maxwell_

My page has a form with a textarea and a dropdown menu.

report_pubaccess is the name of the textarea
pub_access is the name of the dropdown menu

When the form is submitted the data is added to a database.
The page then directs to a redirect page, in order to stop the page re-submitting on refresh.
Before redirecting back to the original page the form data is sent out via an email.
Now back on the original page the form data is extracted from the database and displayed bellow the form.

I have added in the absolute URL

$action = 'http://www.online.org.uk/tutor/public/computers/report_confirm_pub.php?pub_access=' . urlencode($id) . '&report_pubaccess=' . urlencode($_soft_id);

However sanitizing the subject header (I would need to be shown where to apply it in my code)
Although the data in the subject field is taken from the drop down menu pub_access, the content of which is already predetermined.

Hopefully you can understand what I am trying to do!

This is the code from the main page.
The code from the redirect and email page is in my previous post

$abe = mysql_pconnect($hostname_abe, $username_abe, $password_abe) or trigger_error(mysql_error(),E_USER_ERROR); 
mysql_select_db($database_abe, $abe);
$query_pub_access = "SELECT * FROM pub_access ORDER BY id ASC";
$pub_access = mysql_query($query_pub_access, $abe) or die(mysql_error());
$row_pub_access = mysql_fetch_assoc($pub_access);
$totalRows_pub_access = mysql_num_rows($pub_access);
$resolved_result = 'No';
if (isset($_GET['submit'])) {
$name = $_GET['pub_access'];

$report = str_replace("\r\n", " ", trim($_GET['report_pubaccess'])); 

$resolved = $_GET['resolved'];
$output = false;
if (empty($name) || empty($report)) {
  echo 'Please fill out all of the email information.<br />';
	  $output = true;
}
if (!empty($name) && !empty($report)) {
$dbc = mysqli_connect('127.0.0.1', 'root', 'root', 'abe')
or die('Error connecting to MySQL server.');
date_default_timezone_set('Europe/London');
$date = date('Y'-'m'-'d');	
$query = mysql_query("INSERT INTO reportspub (name, report, date, resolved) 
VALUES ('$name', '$report', null, 0)") or die(mysql_error());
mysqli_query($dbc, $query);
mysqli_close($dbc);
}
$_def_soft_id = 1;
$_def_id = 9876;

$_id = (int) $_id;
$_soft_id = (int) $_soft_id;

$_soft_id = isset($_GET['report_pubaccess']) ? $_GET['report_pubaccess'] : $_def_soft_id;
$_id = isset($_GET['pub_access']) ? $_GET['pub_access'] : $_def_id;


$_action = 'http://www.online.org.uk/tutor/public/computers/report_confirm_pub.php?pub_access=' . urlencode($_id) 
. '&report_pubaccess=' . urlencode($_soft_id);

ini_set('display_errors', 1);
error_reporting(E_ALL);


$_action = str_replace( ' +', '%20', $_action );
header('Location:' . $_action);
  }
?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
  <title>Computer faults - Public Access</title>
 </head>
<body>

<table width="60%" border="0" align="center" cellpadding="0" id="round_corners_table">
  <tr>
    <td width="155" height="80" align="right"></td>
    <td width="166" align="left" bgcolor="#FFFFFF"><a href="../../index.php"><img src="../../images/Res_home.png" border="0" /></a></td>
    <td width="62" align="right" bgcolor="#FFFFFF">&nbsp;</td>
    <td width="160" bgcolor="#FFFFFF"><a href="computers.php"><img src="../../images/list.png" width="54" height="69" border="0" /></a></td>
    <td width="232" bgcolor="#FFFFFF"><a href="<?php echo $logoutAction2 ?>"><img src="../../images/log_out2.png" width="73" height="71" border="0" /></a></td>
    <td width="31" align="left"></td>
  </tr>
   </table>
  <div class="whitediv">
   To report a Public Access Computer<br />
      please choose its name from the drop down menu <br />
      and complete the form.</div>
  <form method="get" action=""><br /><div class="forms">
  <table border="0" align="center" cellpadding="0" cellspacing="0">
    <tr>
      <td align="center"><img src="../../images/Public.png" alt="" border="0" /></td>
      <td>&nbsp;</td>
    </tr>
    <tr><td align="center" valign="top"><table border="0" cellspacing="0" cellpadding="0">

  <tr>
    <td align="center" valign="bottom"><label for="pub_access"></label><select name="pub_access" id="pub_access">
      <?php
do {  

?>
      <option value="<?php echo $row_pub_access['name']?>"><?php echo $row_pub_access['name']?></option>
      <?php
} while ($row_pub_access = mysql_fetch_assoc($pub_access));
  $rows = mysql_num_rows($pub_access);
  if($rows > 0) {
      mysql_data_seek($pub_access, 0);
	  $row_pub_access = mysql_fetch_assoc($pub_access);
  }
?>
    </select>&nbsp;</td>
  </tr>
  </table>
  </td>
        <td><label for="report_pubaccess"></label>
          <span id="sprytextarea1">
          <textarea name="report_pubaccess" id="report_pubaccess" cols="50" rows="8" value=""></textarea>
          <span class="textareaRequiredMsg">A value is required.</span></span><br />
        <input name="resolved" type="hidden" value="<?php echo $resolved_result ?>" />
       </td>
      </tr>
      <tr>
        <td></td>
        <td colspan="2" align="left"><input type="submit" name="submit" id="submit" value="Submit" /></td>
        </tr></table></div>
</form><br />
  <?php 
     $dbc = mysqli_connect('127.0.0.1', 'root', 'root', 'abe')
	or die('Error connecting to MySQL server.');
   $query = "SELECT * FROM reportspub ORDER BY date DESC";
    $result = mysqli_query($dbc, $query)
	or die('Error querying database.');
while( $row = mysqli_fetch_assoc($result)){
	$id = $row['id'];
	$name = $row['name'];
	$report = nl2br($row['report']);
	$date = $row['date'];	
	$resolved = $row['resolved'];
	echo "<table align='center' border='0' width='95%' class='tablebg' cellspacing='0' cellpadding='3'>
<tr class='formlabels' height='40px' ><td class='tl' width='35%'>
&nbsp;&nbsp;&nbsp;&nbsp;<img src='../../images/Publicsmall.png' width='24' height='24' align='absmiddle' />
&nbsp;&nbsp;&nbsp;$name</td><td align='left' width='45%'>
<img src='../../images/vcalendarsmall.png' width='34' height='34' align='absmiddle' />

&nbsp;&nbsp;&nbsp;$date</td><td class='tr' width='20%'><strong>Resolved</strong> $resolved</td></tr>
	<tr><td colspan='3' class='paddcell'>$report</td></tr><tr bgcolor='FFFFFF' height='10px'><td colspan='3'></td></tr></table>";
	}