Hi, everybody,

I'm new to PHP and I'm setting up a web page in which I want to include a subscribing box for the visitor to send me his email.

I've found this code on the internet and adapted to my neccessity but I want to know if it's okay or not. I wonder if somewhere in the code should appear the destination to which the email has to be send.

Also, do I need an extra file with php extension and linked to the html file in which the code is, like we do with css files? Here's my code Thanks :rolleyes:

<Div class="subscribebox">
<title>Email Form </title>
<form method="post" action="sendeail.php">

$ipi = getenv("REMOTE_ADDR");
$httprefi = getenv ("HTTP_REFERER");
$httpagenti = getenv ("HTTP_USER_AGENT");
<input type="hidden" name="ip" value="<?php echo $ipi ?>" />
<input type="hidden" name="httpref" value="<?php echo $httprefi ?>" />
<input type="hidden" name="httpagent" value="<?php echo $httpagenti ?>" />

Your Name: <br />
<input type="text" name="visitor" size="25" background color="#FFFF00" />
<br />
Your Email:<br />
<input type="text" name="visitormail" size="25" background color="FFFF00"/>
<br />
<strong>Subscribe to the Newsletter</strong <br />
<br />
<input type="submit" value="Send Mail" />
<br />

First off, you need to add a enctype to your form tag and add a name to your submit button (to be used for submission) like this

<form method="post" action="sendeial.php" enctype="multipart/form-data">
<!-- all your form code -->
<button type="submit" name="submitBtn" value="Send Mail">SendMail</button>

And as long as this is the same file as you are posting to {sendeial.php} you can place something along these lines at the top of the page:

if (isset($_POST['submitBtn']) && $_POST['submitBtn'] == 'Send Mail') {
  $clean = array();
  foreach( $_POST as $key => $val) {
    $clean[$key] = htmlentities($val, ENT_QUOTES);
$to = 'you@yourdomain.com';
$headers = ""; // you can add Bcc and Cc addresses here
$subject = "You have a new subscriber to your site!\n\n";
$body = "Name: " . trim($clean['visitor']) . "\n";
$body .= "Email: " . trim($clean['visitormail']) . "\n";
$body .= "IP: " . $clean['ip'] . "\n" ;
$body .= "Referrer: " . $clean['httpref'] . "\n";
$body = "User Agent: " . $clean['httpagent'];

if ( !mail($ot, $subject, $body, $headers)) {
  echo "There was a problem sending the email, i might want to write this to a flat file just in case"

You should always clean your input, this is why I do a foreach on the post data and run it through htmlentities(). This is a bare minimum, you might also want to add some error detection in case the email is mal formatted or there were some empty fields.
I also wrapped the mail function call in a if statement so you can handle a failure gracefully. You will need to make sure you can send emails on youre server.

I didnt try to run this code, so there might be some syntax errors in there, I got fat fingers sometimes. You will need to play with it for your specific deployment.

This should be enough to get you going. Good luck


Hi mohaydee,

Unlike CSS which which is interpreted by the browser as formatting and styles for the HTML, PHP is interpreted by the server into HTML that is sent to the browser.

The "action" of your form:

<form method="post" action="sendeail.php">

defines the page that the form data will be sent to. A better comparison to a HTML form is a HTML Link.


<a href="sendeail.php">Send Mail</a>

This is the same as:

<form action="sendeail.php" method="get">
<input type="submit" value="Send Mail" />

A form however, allows use interaction where a link does not.

As for the PHP code you need in "sendeail.php", sn4rf3r gave a really good example.

The only other security issue I'd worry about is cleaning your mail headers before placing them in the php mail() function.

see: http://www.securephpwiki.com/index.php/Email_Injection

I agree with all the above comments except for the for enctype.
multipart/form-data is only need when you are using the input tag of the tpye file.

I think that you need to use

but then this is the value set be default, so you don't need to set it. Is that corect? (Sorry been awake for about 38 hours, getting read for a new software release on monday!!)

I also think that it would be better to get the ipaddr, httpagent, httpref in the actual sendmail script otherwise any user who wants to send you fake information can just edit the source code of the form and send you what they like.