发送邮件时来自字段的PHP（）

Question

I'm using PHP's mail() function and noticing that my mail is being shown from being sent by 'My Website' in my inbox, but when I click on the actual email it shows it being sent from mywebsite@sitename.localdomain.

Ideally I'd like to have it say being sent from 'My Website', but the reply email being 'no-reply@mywebsite.com', and not to have it say anything about @sitename.localdomain.

$to = trim(strtolower($_POST['to']));
$from = trim($_POST['from']);
$message = trim($_POST['message']);

$subject = $from . ' has shared a link with you';
$headers = 'From: My Website' . "\r\n" .
        'Reply-To:' . $to . "\r\n" .
        'X-Mailer: PHP/';


mail($to, $subject, $message, $headers);

Is this an issue that I need to fix in Apache, or can I modify the headers within PHP?

Answer 1

Try this:

$to = trim(strtolower($_POST['to']));
$from = trim($_POST['from']);
$message = trim($_POST['message']);

$subject = $from . ' has shared a link with you';
$headers = 'From: My Website <no-reply@mywebsite.com>' . "\r\n" . // <- change your email here
        'Reply-To:' . $to . "\r\n" .
        'X-Mailer: PHP/';


mail($to, $subject, $message, $headers);

Answer 2

The Question and Answer #1 contains a serious security vulnerability -

$to = trim(strtolower($_POST['to']));

Will allow an attacker to use your website to email arbitrary spam and your site will be blocked from most search engines. See https://www.owasp.org/index.php/Top_10_2010-A1

My recommendation is to

• Sanitize the to and from fields
• Never ever ever copy the message in the post to the output unless carefully sanitized.