Sending email with PHP

In this tutorial we will learn about the mail() function in PHP. We will then implement what we've learned into a real life situation.

I will first show you how to process data sent from an HTML form that allows your website visitors to send you email. We will then look at how to filter the data effectively to prevent errors from occuring and to patch security holes

Lets look at the mail() function

Next we need an html form to post the info to the script

We can now upload our program to the server and test it. Be sure to only use alphanumeric characters in your test message for the moment as we have not yet added any data filtering and a wrong character may cause an error

Your doc should look something like that below.

So how do we make this more secure and stable?

When dealing with post data from user input it is imperative that we filter the data to make sure it is not tainted in anyway. By this I mean that we must verify that the data we are receiving is the kind of data our programme is expecting and then act accordingly.

Before we get started filtering I am going to introduce a method for identifying the input data within our programme that has been filtered and that which has not by means of a naming convention. Thanks go to Chris Shiflett for this technique.

At the beginning of your program create an array and name it 'cleaned' or something else memorable.

Now once we have filtered our post or get variables we can place them into this array and then use the array item elsewhere in our programme secure in the knowledge that it has been filtered

Now let\'s look at some filtering techniques.

First we verify that the posted email address is the correct format using preg_match() to check the pattern

To filter the message title we could use a handy function called ctype_alnum() which will return true if all the characters in the parsed string are alphanumeric.

Using ctype_alnum we can be sure that no malicious code can be sent to our server through the 'title' post variable as the characters needed to post code are blocked.

In some circumstances we will want to prevent code from being posted but will still want our user to be able to use characters such as quotes, exclamation marks etc. We have a few options here

Now let's put it all together!

// contact.php

<?php
if (isset($_POST['Submit']))
{
$clean = array();
$clean['msg'] = htmlspecialchars($_POST['msg']);

$site_email = "me@mysite.info";

$emailname = "/^[-!#$%&\'*+\\.\/0-9=?A-Z^_`{|}~]+";
$host = "([-0-9A-Z]+\.)+";
$tlds = "([0-0A-Z]){2,4}$/i";
if (!preg_match($emailname."@".$host.$tlds,$_POST['email']))
{
$errmsg =  "ERROR: ".$_POST['email']." is not a valid e-mail address, your message has not been sent<br>";
}
else 
{
$clean['email'] = $_POST['email'];
$headers = "Content-type: text/html;";
$headers = "From: ".$clean['email']."\r\n";
if (!ctype_alnum($_POST['title']))
{
$errmsg =  "ERROR: Please only use letters and numbers in your message title<br>";
}
else 
{
$clean['title'] = $_POST['title'];
if (mail($site_email,$clean['title'],$clean['msg'],$headers);)
{
$errmsg =  "Thanks, we'll be in touch soon";
$success = 1;
}
else {$errmsg =  "Sorry an error occured, your msg was not sent";}
}
}
}
?>
<html>
<head>
<title>PHP email</title>
</head>
<body>
<?php
if (isset($errmsg ))
{
echo $errmsg ;
}
?>
<br>
<form action="contact.php" method="post">
email: <input name="email" type="text" value="<?php if(isset($clean['email']) and !$success){echo $clean['email'];}  ?>"><br>
title: <input name="title" type="text" value="<?php if(isset($clean['title']) and !$success){echo $clean['title'];}  ?>"><br>
message: <textarea name="msg" cols="50" rows="10" ><?php if(isset($clean['msg']) and !$success){echo $clean['msg'];}  ?></textarea><br>
<input type="submit" name="Submit" value="Send your message">
</form>

</body>
</html>

Follow up tutorial coming soon

Comments:

Featured Script

Javascript image replacement of text links
This script allows you to replace the text links in your page with images. Full working example and ... (read more)

Tutorials @ WebDesignPro