Here's a short example on how to build a basic message and set the recipients. In this example, I'll send a quick note to my old friend Bolivar Shagnasty, and give him both a text and HTML version of the message.
![[Note]](images/note.png)
|
Note |
|---|---|
|
Note that the |
<?php
$text = TEXT<<<
The quick brown fox jumps over the lazy dog.
Now is the time for all good men to come to the aid of their country.
TEXT;
$html = HTML<<<
<p>The quick brown fox jumps <em>over</em> the lazy dog.</p>
<p><strong>Now</strong> is the time for all good men
to come to the aid of their country.</p>
HTML;
$mail = Solar::factory('Solar_Mail_Message');
$mail->setCharset('utf-8')
->setFrom('pmjones@example.com', 'Paul M. Jones')
->addTo('boshag@example.com', 'Bolivar Shagnasty')
->addCc('nobody@example.net')
->setSubject('A Short Test Message')
->setText($text)
->setHtml($html);
?>That's pretty easy ... but is it safe?
Anything that ends up getting sent as a mail header, including addresses and the subject line, is sanitized against header-injection attacks by removing newlines from the header label and value. Let's say you want to add a new custom header:
<?php
$mail = Solar::factory('Solar_Mail_Message');
$mail->setHeader('X-Custom-Header', "Foo\r\n\r\nAn evil message");
?>Under a less-secure system this would cause the header to be sent as:
X-Custom-Header: Foo
An evil message.That's no good -- somebody just injected their own message into our email.
With Solar_Mail_Message, when the mail gets sent, that header will go out as:
X-Custom-Header: FooAn evil messageWe strip the newlines in header labels and values automatically, so you should be safe against header injections. (If there are other aspects to securing against header injections I would be happy to hear them.)