PHP form to email explained

email form in php email form with php php form to email

It is a common requirement to have a form on almost any web site.

In this article, we will create a PHP script that will send an email when a webform is submitted.

There are two parts to the webform:

  1. The HTML form code for the form. The HTML code below displays a standard form in the web browser. If you are new to HTML coding, please see: HTML form tutorial
  2. The PHP script for handling the form submission. The script receives the form submission and sends an email.

HTML code for the email form:

<form method="post" name="myemailform" action="form-to-email.php">

Enter Name:	<input type="text" name="name">

Enter Email Address:	<input type="text" name="email">

Enter Message:	<textarea name="message"></textarea>

<input type="submit" value="Send Form">

The form contains the following fields: name, email, and message.

name and email are single-line text input fields whereas ‘message’ is a text area field (multi-line text input).

You can have different types of input fields in a form. Please see the HTML form input examples page for details.

On hitting the submit button, the form will be submitted to “form-to-email.php”. This form is submitted through the POST method

Accessing the form submission data in the PHP script

Once your website visitor has submitted the form, the browser sends the form submission data to the script mentioned in the ‘action’ attribute of the form. (for the current form, the script is form-to-email.php)

Since we have the form submission method mentioned as POST in the form (method=‘post’) we can access the form submission data through the $_POST[] array in the PHP script.

The following code gets the values submitted for the fields: name, email, and message.

  $name = $_POST['name'];
  $visitor_email = $_POST['email'];
  $message = $_POST['message'];

Composing the email message

Now, we can use the above PHP variables to compose an email message. Here is the code:

	$email_from = '';

	$email_subject = "New Form submission";

	$email_body = "You have received a new message from the user $name.\n".
                            "Here is the message:\n $message".

The ‘From’ address, the subject and the body of the email message are composed in the code above. Note the way the body of the message is composed using the variables.

If a visitor ‘Anthony’ submits the form, the email message will look like this: "You have received a new message from the user Anthony. Here is the message: Hi, Thanks for your great site. I love your site. Thanks and Bye. Anthony."

Sending the email

The PHP function to send email is mail().


For more details, see the PHP mail() page.

The headers parameter is to provide additional mail parameters ( like the from address, CC, BCC etc)

Here is the code to send the email:


  $to = "";

  $headers = "From: $email_from \r\n";

  $headers .= "Reply-To: $visitor_email \r\n";



Notice that we put your email address in the ‘From’ parameter and the visitor’s email address in the ‘Reply-To’ parameter. The ‘From’ parameter should indicate the origin of the email. If you put the visitor’s email address in the ‘From’ parameter, some email servers might reject the email thinking that you are impersonating someone.

Sending the email to more than one recipients

If you want to send the email to more than one recipients, then you just need to add these in the “$to” variable.

  $to = ",,";


You can use the CC (carbon copy) and BCC (Blind Carbon Copy) parameters as well. The CC and BCC emails are added in the ‘headers’ parameter.

Sample code:

$to = ",,";

$headers = "From: $email_from \r\n";

$headers .= "Reply-To: $visitor_email \r\n";

$headers .= "Cc: \r\n";

$headers .= "Bcc: \r\n";


Securing the form against email injection

Spammers are looking for exploitable email forms to send spam emails. They use the form handler script as a ‘relay’. What they do is to submit the form with manipulated form values. To secure our form from such attacks, we need to validate the submitted form data.

All the values that go in the ‘headers’ parameter should be checked to see whether it contains \r or \n. The hackers insert these characters and add their own code to fool the function.

Here is the updated code:

function IsInjected($str)
    $injections = array('(\n+)',
    $inject = join('|', $injections);
    $inject = "/$inject/i";
      return true;
      return false;

    echo "Bad email value!";

In general, any value used in the header should be validated using the code above.

Better, complete validations could be done using the PHP form validation script here.

PHP form to email complete code

The link below contains the complete form, validation and emailing code.

Download the PHP form to email code