PHP mail() overview

Websites built on PHP can take advantage of the PHP mail function which creates the ability to send email directly from your website. You can read more about this function on PHP’s website:

PHP is available by default on all hosting plans, so there is nothing you need to enable to use the PHP mail function.

Never use form input (such as names or email addresses) in the "Additional headers" section of the PHP mail() command. This can lead to mail header injection exploits which allow spammers to hijack your email forms. Please visit the following page for additional information on how these attacks work and how to prevent them:

Simple example of phpmail()

Add the following code to a PHP file named something like "phpmail.php":

<?php
//sending email with the php mail()
mail('user@example.com', 'Subject Line Here', 'Body of Message Here');
?>

When you then visit this page in a browser, it will appear as a blank white page. But by visiting it, you invoke the PHP mail function to send an email to the address entered.

Basic example with variables

This example adds the $message variables directly into the mail() parameters:

<?php

// compose message
$message = "Lorem ipsum dolor sit amet, consectetuer adipiscing elit.";
$message .= " Nam iaculis pede ac quam. Etiam placerat suscipit nulla.";
$message .= " Maecenas id mauris eget tortor facilisis egestas.";
$message .= " Praesent ac augue sed enim aliquam auctor. Ut dignissim ultricies est.";
$message .= " Pellentesque convallis tempor tortor. Nullam nec purus.";

// make sure each line doesn't exceed 70 characters
$message = wordwrap($message, 70);

// send email
mail('somebody@example.com', 'Nonsensical Latin', $message);
?>

Advanced example

This example uses variables such as $to, $subject, and $headers which are then added to the mail() parameters:

<?php
$to = "somebody@example.com";
$subject = "Nonsensical Latin";

// compose headers
$headers = "From: webmaster@example.com\r\n";
$headers .= "Reply-To: webmaster@example.com\r\n";
$headers .= "X-Mailer: PHP/".phpversion();

// compose message
$message = "Lorem ipsum dolor sit amet, consectetuer adipiscing elit.";
$message .= " Nam iaculis pede ac quam. Etiam placerat suscipit nulla.";
$message .= " Maecenas id mauris eget tortor facilisis egestas.";
$message .= " Praesent ac augue sed enim aliquam auctor. Ut dignissim ultricies est.";
$message .= " Pellentesque convallis tempor tortor. Nullam nec purus.";
$message = wordwrap($message, 70);

// send email
mail($to, $subject, $message, $headers);
?>

Sending HTML mail

This example allows you to add HTML code to your email. Put the following contents into a file with a .php extension:

<?php

// multiple recipients (note the commas)
$to = "somebody@example.com, ";
$to .= "nobody@example.com, ";
$to .= "somebody_else@example.com";

// subject
$subject = "Nonsensical Latin";

// compose message
$message = "
<html>
  <head>
    <title>Nonsensical Latin</title>
  </head>
  <body>
    <h1>Nonsensical Latin</h1>
    <p>Lorem ipsum dolor sit amet, consectetuer adipiscing elit.
       Nam iaculis pede ac quam. Etiam placerat suscipit nulla.
       Maecenas id mauris eget tortor facilisis egestas.
       Praesent ac augue sed <a href=\"http://lipsum.com/\">enim</a> aliquam auctor.
       Pellentesque convallis tempor tortor. Nullam nec purus.</p>
  </body>
</html>
";

// To send HTML mail, the Content-type header must be set
$headers = "MIME-Version: 1.0\r\n";
$headers .= "Content-type: text/html; charset=iso-8859-1\r\n";

// send email
mail($to, $subject, $message, $headers);
?>

Mail header injection

The following code can be placed in the top of your PHP script to deter the most common header injections. Please note this code disallows direct page access, so only add to a "process" page reachable by a Submit action. It will filter out any CC or BCC headers being injected as well as any new line or carriage return tags injected into the email header.

<?php
if (!isset($_POST['submit'])) {
   echo "<h1>Error</h1>\n
      <p>Accessing this page directly is not allowed.</p>";
   exit;
}

$email = preg_replace("([\r\n])", "", $email);

$find = "/(content-type|bcc:|cc:)/i";
if (preg_match($find, $name) || preg_match($find, $email) || preg_match($find, $url) || preg_match($find, $comments)) {
   echo "<h1>Error</h1>\n
      <p>No meta/header injections, please.</p>";
   exit;
}
?>

Advanced PHP mail script

View the following articles for full examples on how to send SMTP mail via a PHP script.

See also

Internal links

External links

Did this article answer your questions?

Article last updated .