WordPress Code Snippets

A fresh mix of code snippets and tutorials

PHP securing email scripts


This tutorial describes several important strategies for securing contact forms and scripts that make use of PHP’s mail() functionality. If your script is sending email based on user input, these tips will help to keep things safe and secure.

Don’t reinvent the wheel

Before getting too deep into writing your own contact form script, it may save you some time to grab one of the many scripts that are available around the Web. Then you can simply check that the recommended security tips in this article have been applied to whichever script you feel like using.

Even easier, if you are using WordPress, you can save time and grab a copy of my very secure contact-form plugin, Simple Basic Contact Form, available for 100% FREE at the WP Plugin Directory. All of the security techniques described in this article, plus a LOT more, are implemented in SBCF to help make it super secure.

That said, let’s check out some essential security tips for email scripts.

Check for bad emails

There a many ways to check that the user’s email address is properly formatted and free from any malicious strings. Doing so helps to ensure that your email script doesn’t end up getting abused by spammers to send out their crappy spams all over the place. Here are two ways of going about checking for bad email input:

1) Use PHP’s filter_var() set to FILTER_VALIDATE_EMAIL:

filter_var($email, FILTER_VALIDATE_EMAIL)

2) Or hand-roll your own custom filter function, for example:

This simple function checks the email input variable and returns true or false, depending on whether or not any malicious characters are found in the email string.

Regardless of how you do it, checking for legit email input is critical to security.

Check bad strings

In addition to checking the user’s specified email address, it’s also important to check other input data, such as the email subject and message. Here is an example function that checks for any bad strings:

So you can call this function for each input; it will return true or false depending on whether or not any bad strings are found.

Check for newlines

Newlines included in posted email data (whether intentional or not) are considered malicious and should be removed, or the email should be rejected. Here is an example of a function that checks for any newline shenanigans:

If any newline characters are found, the function returns false, otherwise returns true.

Check POST request

Another good security tip is to deny any requests that aren’t sent via POST request. Something like this should do the trick:

That will make sure that other types of requests such as GET, HEAD, PUT, et al are not accepted.

Going further

These tips explain some important security tips for any contact form or email script, but of course much more is possible. If you’re thinking about rolling your own contact-form script, I recommend searching around for additional techniques and tips to lock things down as much as possible. These days, you just can’t risk getting your domain/email flagged as “spam” by Google et al, just because some sloppy coding allowed some lowlife scumbag to take advantage of an insecure script.

Show Support

Like our new Facebook Page to show support!