9.2. Composing Messages

Here's a short example on how to build a basic message and set the recipients. In this example, I'll send a quick note to my old friend Bolivar Shagnasty, and give him both a text and HTML version of the message.

[Note] Note

Note that the Solar_Mail_Message set*() methods are fluent, so you can chain them together when you find it appropriate. (You can review the full set of Solar_Mail_Message methods if you like.)

$text = TEXT<<<
The quick brown fox jumps over the lazy dog.

Now is the time for all good men to come to the aid of their country.

$html = HTML<<<
<p>The quick brown fox jumps <em>over</em> the lazy dog.</p>

<p><strong>Now</strong> is the time for all good men
to come to the aid of their country.</p>

$mail = Solar::factory('Solar_Mail_Message');

     ->setFrom('pmjones@example.com', 'Paul M. Jones')
     ->addTo('boshag@example.com', 'Bolivar Shagnasty')
     ->setSubject('A Short Test Message')

That's pretty easy ... but is it safe?

9.2.1. Headers and Header Injection

Anything that ends up getting sent as a mail header, including addresses and the subject line, is sanitized against header-injection attacks by removing newlines from the header label and value. Let's say you want to add a new custom header:

$mail = Solar::factory('Solar_Mail_Message');
$mail->setHeader('X-Custom-Header', "Foo\r\n\r\nAn evil message");

Under a less-secure system this would cause the header to be sent as:

X-Custom-Header: Foo

An evil message.

That's no good -- somebody just injected their own message into our email.

With Solar_Mail_Message, when the mail gets sent, that header will go out as:

X-Custom-Header: FooAn evil message

We strip the newlines in header labels and values automatically, so you should be safe against header injections. (If there are other aspects to securing against header injections I would be happy to hear them.)