HTML:
<form name="subscriptionform" method="post" action="subscribe_2.php">
<table width="300px">
<tr>
<td valign="top">
<label for="title"><strong>Subscribe to Newsletter</strong></label>
</td>
</tr>
<tr>
<td valign="top">
<p>E-mail Address:*<br>
<input name="email" type="text" size="20"></p>
</td>
</tr>

<tr>
<td valign="top">
<p>Confirm E-mail Address:*<br>
<input name="email" type="text" size="20"></p>
</td>
</tr>
<tr>
<td colspan="15" style="text-align:left">
<input type="submit" value="Subscribe">
</td>
</tr>
</table>
</form>
</html>

---

PHP: subscribe_2.php
<?php
$to = "example@example.com";
$subject = "Newsletter Subscription Request";
$email = $_REQUEST['email'] ; //required
$headers = "From: $email";
$sent = mail($to, $subject, $headers) ;
if($sent)
{print "Thank you for subscribing! Your request is being processed"; }
else
{print "We encountered an error during your request"; }
// required fields in the line below
if (!$email)
{ $error = "You must complete all required fields"; }
if (!$error) {
// Code to do something with the data here
$mailed = "Your request has been sent. Thank you"; }
?>

Welcome to WebmasterWorld, RDreamer.

I'm not sure if this script is merely a practice to learn how to use php and the mail() function but implementing a script such as this on your public server is going to get your IP addressed put on a blacklist quite quickly as spammers are going to have a field day abusing your form to their advantage and the great dismay of every recipient!

If you make the user type the email address twice (why? Users do not forget their email address and any typo will get cut&pasted anyway), would it not be smart to check it is in fact the same in both fields (and hence give them different names to start with ?

To elaborate on coopster's remark:

ANYTHING coming from the browser absolutely must be cleaned before you use it.
(consider it tainted data: only after you absolute know it is ok, will you use it, till then consider it has multiple lines, all sorts of funny characters, extreme length etc.)

Even though you hardcoded the "To" to come to you (I presume at least), you really should build a system where you send the apparent subscriber an email with a link in it that they need to click to confirm they want to be subscribed before you do so.
(On do confirm opt-in - you're in for a big heap of trouble if you don't get confirmation)
Now that's not enough: you also need to rate limit the confirmation requests, have an opt-out method etc.

Running a mailing list is much more than just a form on a website.

All it takes is a few malcontent subscribers to complain and you loose the ability to send email. That's why services such as e.g. mailchimp (just to name one that I use) -it's free in it's basic form- exist and deliver a service well above of what you can code in a few days yourself. They take care of all of that, and keep their reputation intact by enforcing some behavior on their customers.

There is a very nice free .php contact form available at fastsecurecontactform dot com/
It is highly configurable and can forward and auto reply. It is free, but a donation would be the right thing to do. This form is for use with static html sites, he also offers a WP plugin version.

If you are trying to build an email list, the recommendations above are better, this is just for contact.

@ Coopster.:
This was mostly just a test script and wasn't what I had intended on implementing. I'm very new when it comes to PHP scripting and figured I'd better talk to someone with more experience in it before making any scripts of my own. Pertaining to what you said, that's definitely something I'd like to avoid. What would be the best way to keep spammers from abusing a PHP form?

@swa66:
That's a good point. My intention for that was so that, when they entered the address, it would make sure they had entered it in correctly in email format and that the two matched. It was something I wanted to try to do, but now that I think about it, there are better ways to go about confirming email addresses.

I've been looking into a system like that, and someone I'm working with had something in mind. I'd have to check in with them to see what exactly it was. But this was just to make sure that I had a working form for subscriber emails. I'll definitely look into mailchimp because that sounds like a much better approach to doing this.

Does mailchimp only help with setting up an emailing and confirmation system, or does it let you customize a form for website input, like the one I'm trying to put together?


@not2easy:
I'll look into that. It sounds like it'd be helpful, thanks a lot!

As you can probably tell, this is my first time doing this, so I'd really like it to be secure and safe to use. I'll make sure to look into all of this. I may have a few more questions down the line. I hope you won't mind me posting them here.

Thanks for the great advice!

Pretty sure we should not discuss mailchimp here. But FWIW: yes you can integrate a form to subscribe on your website. It's easy enough.

A pet peeve of mine is that when learning, all examples you find contain more security holes that one cares to count. That way you're taught to create security issues. I've yet to find any good tutorial of any language that takes security into account from page 1, slide 1 or example 1.

It makes it really hard to those learning to post stuff without getting "killed" for the security issues, but letting you put things online where the first hacker that finds it is having a blast isn't going to be fun either.

@swa66

You're right, and thanks, that's good to know.

I know that security holes are a big issue, and it seems difficult to find a good resource on them and how to avoid the risks. I don't feel comfortable making these kinds of things and leaving them riddled with risks, so it looks like I'm going to have to learn a lot more about security if I want to make things like this safe and functional.

I know you mentioned not being able to find any good tutorials that take security into account, but is there any resource that explains the causes of some basic security holes in basic PHP scripts? I'll start looking into it, but I'd appreciate a point in the right direction.

It changes so rapidly because of advances and updates to technology ... but the PHP online documentation has a good starting point regarding Security and after that you may want to search for mailing lists that discuss not only PHP security but more general security, including the HTTP server (Apache) that you use, web security issues in general such as XSS, SQL injection, etc. And lastly, come to Pubcon and learn how to hack a site so you can effectively defend against the very same tactics!