View Full Version : Why should one include \n at the end of the "From" field?

09-08-2005, 06:27 AM
Working on an email reply form using PHP...

You should always include a new line character at the end of the "From:" field. Above is a quote from CYPHIX, a very helpful member from this forum. Full thread here. (http://http://www.codingforums.com/showthread.php?p=353234)

When doing this, the first line in the incoming email is empty. It's just an esthetical thing but that started me wondering -- WHY this advice?

I read on a PHP official page that acually both \n and \r should be used. See here (http://us2.php.net/function.mail). Or do I understand it wrong? Here's what the PHP offical page says:

additional_headers (optional) [...] Multiple extra headers should be separated with a CRLF (\r\n). I'm a beginner and just puzzled -- how to understand that :eek:

Question 1: Is the advice to use the new line character after the from field designed to prevent unauthorized email injection ?

Question 2: Is it thus "safer" to use both \n and \r ?

Thanks, Martin.

09-08-2005, 06:56 AM
Using \r\n to separate your additional headers (From, CC, BCC, etc.) is a standard. However, according to php.net, some unix systems automatically return \r\n when a linefeed is found. With this in mind, if your mail is not sent, alter your headers \r\n into \n instead of \r\n, which is NOT standard. Php.net also suggests that this should be a last resort option.
If my memory serves me correctly, separation of your additional headers is only required should you have more than one header to send. So, if you have only one additional header to send, I believe you do not need to end it using CRLF.
As for your second question, use \r\n as often as you can. These are due to the way different OS' handle the linefeeds, \n for windows, \r\n for *nix, and \r for mac (if my memory serves me correct again).
A mail wizard can probably give you a more indepth breakdown of whats actually happening, so perhaps its best to await for other postings too.

09-08-2005, 09:52 AM
mypointofview, it is not mandatory to append a single newline character after the From: header. What happens in your case is that PHP automatically separates the headers from the message part with a newline, and that's why an additional newline is displayed at the top mail when viewed in your mail client.

This additional newline has nothing to do with preventing email injection attacks.

Regarding question 2, I can only support what Fou-Lu wrote. What happens with the separators is up to the MTA. This can be different from server to server, but in general you are quite safe with using CRLF (\r\n).

The format of email headers is actually dead simple, the SMTP protocol also. I suggest you try to send an email from the command line via telnet. It's very educating to type each SMTP command and email header, you will understand the underlying mechanics of email transfer better this way. I haven't got any good introductory text at my hands now, this looks quite ok after a quick googling:

Don't hesitate to ask further questions... :)

09-10-2005, 09:08 AM
Danke mordred! Great link about how email works - very informative :cool: