I’m using PHP’s Mail function to send emails to individuals. I wanted an easy way to customize the greeting name in the email, so i created a form where there is a comma separated list of emails and a comma separated list of names, and they get posted and mailed via PHP.
However, every time I send it, the name spits out the entire array of names, and not the ONE value I specify. I’ve been working on this for an hour now and cannot for the life of me see where the problem is.. its such simple code! Here is the code let me know if you see any glaring errors.
$to_emails = $_POST['to_emails'];
$to_names = $_POST['to_names'];
$from_email = $_POST['from_email'];
$message = $_POST['message'];
$subject = $_POST['subject'];
$explode_emails = str_replace(" ", "", explode(",",$to_emails));
$explode_names = explode(",",$to_names);
$email_array = array();
$i=0;
foreach($explode_names as $e) {
$name = $e;
$to = $explode_emails[$i];
$subject = $subject;
$message = $name.",\r\n".$message;
$headers = 'From: '.$from_email . "\r\n" .
'Reply-To: '.$from_email . "\r\n" .
'X-Mailer: PHP/' . phpversion();
mail($to, $subject, $message, $headers);
echo "<font color='#FF0000'>".$i." Emailed: ".$name." : ".$to."</font><br />";
$i++;
}
<form method="post">
To Emails (comma separated)
<input type="text" name="to_emails" value="">
<br /><br />
To Names (comma separated)
<input type="text" name="to_names" value="">
<br /><br />
From
<input type="text" name="from_email" value="trgentes@gmail.com">
<br /><br />
Subject
<input type="text" name="subject" value="">
<br /><br />
Message
<textarea name="message" rows="5" id="message"></textarea>
<br /><br />
<input type="submit" />
</form>
Here’s what I came up with. I’m not sure if this exactly answers what you want, but it would send email to all the people specified:
Here’s a quick rundown of the changes I made:
str_replace()wasn’t really needed.trim()is a more efficient function to trim leading or trailing whitespace.I merged the email addresses and their corresponding names into an associative array called
$recipients. This is easier to keep track of than referencing them by a numeric key, and actually associates the data to each other. This also makes looping over them easier to read.I simplified how headers are created. It’s easier to add the carriage return
\r\nat the start of the string, making it easier to read, and less likely to forget one, or leave an extra return on the end.While the above code will work, I’ll also take this opportunity to also warn you of a vulnerability present in your current code: Email Header Injection.
If an attacker submits content to your form containing the “\r\n” character, they can inject their own headers. Meaning, they could end up sending this email to more people than you want it to go to, or they may inject their own custom body message.
This example should be a good example for you on how to prevent this kind of attack, as its code example highly resembles yours.
You should NEVER trust input sent via $_POST. You should validate the submitted data is in the correct format you expect and does not contain any malicious characters.