Form to Email

Contact forms on web sites are becoming increasingly popular. Rather than use perl/cgi and running formmail, the easiest and more secure method is to use a small php script which integrates into your 'thanks' page.

The web form

First of all, you need to construct your web form. This should start with the following...

<form method="POST" action="thanks.php">

The 'method' parameter indicates that all variables (data) collected are to be hidden and not placed in the URL. The most important part is the 'action' parameter as this indicates where the processing of the form should be done. The form may also be given a name but as this is optional, we've left it out in this case to keep everything simple.

Our example form will collect a name and an email address. The following lines will do this.

Name: <input type="TEXT" name="name">
Email: <input type="TEXT" name="email">

Then we need a submit button and a tag to indicate the end of the form.

<input type="SUBMIT" name="Submit" value="ok">


The thanks page

Once someone has clicked on the ok button to submit the details on our form, we should let them know that their form has been submitted. For this we need a thanks page. This should be a normal html page which you will have constructed. You should then rename your thanks page to 'thanks.php'. The php extension enables the web server to run the php code on that page before it is sent to the browser.

Under the <BODY> tag on your thanks page, please enter the following code...

  $email = $_POST['email'];
  $mailto = "email@address";
  $mailsubj = "Form submission";
  $mailhead = "From: $email\n";
  reset ($_POST);
  $mailbody = "Values submitted from web site form:\n";
  while (list ($key, $val) = each ($_POST)) { $mailbody .= "$key : $val\n"; }
  if (!preg_match("/\n/",$_POST['email'])) { mail($mailto, $mailsubj, $mailbody, $mailhead); }

Make sure that you replace 'email@address' in the code with your own email address.

This code picks out ALL the data POSTed from the form and sends it to the email address specified. It's possible to make the code a little more elaborate in order to detect if an email address hasn't been entered. It's also possible to add javascript to the form itself to detect this.

Disclaimer: The above script is provided as is and without any warranty or fitness for a particular purpose. Vision Internet Limited explicitly disclaim responsibility for this script including any damages that might result from the use or misuse of the script.

Security considerations

Many form to email scripts are insecure because they pass the destination email address from the form itself. This makes it very easy for a determined spammer to forge a request to your thanks page with any destination email address they want. Some scripts try to check that the request has come from the same site but unfortunately that too is easy to forge. You should NEVER pass any destination email address to the script as a variable. As a by-product of placing your email address within the script (as above), your email address will not be harvested by spammers which should help reduce the amount of junk email received.

It's also a good idea not to output any of the variables you have collected to the screen unless you can filter out any extra html code. Otherwise, it may well be possible that someone could enter some malicious code into the form that would run when the thanks page is loaded.

Recent update: If you're collecting an email address on your form (as we are above), it's important that this is checked within the php script for extra line feeds. One of the latest techniques used by spammers is to inject their own headers into the email. To do this, they enter a random email address followed by a line feed. This is then followed by a blind carbon copy (Bcc) containing many email addresses. Using this technique, it's also possible for the spammer to insert their own email message and send it to many other addresses via your script. In the above script, we're using the 'eregi' function to check the email address just before sending the email. Ideally, all data which may be used within the email headers should be checked.