PHPMailer v. mail() for a simple Contact Form

Question

I am new to PHP, but have a decent grasp of things (have not learned classes yet).

The question:

Which to choose? PHPMailer or mail() for my new contact form.

The form is simple:

Your name:
Your email:
Subject:
Body:

I have around 2,000 visitors per day and receive about 10 submissions per day, so I don't need anything too fancy. =)

Miscellaneous questions in my head:

• Is PHPMailer going to better protect my Contact Form from CC: injection (major concern)? I already know the anti-spambot display:none CSS trick.
• Will PHPMailer save me the step of having to write an email_validator() function?
• Will PHPMailer save me any other time of having to write any custom functions?

Thanks! With any luck, I'll be answering questions soon. Lol

Answer 1

Here is all I could think of in one sitting, forgive me if there are any glaring omissions.

Advantages to using PHP's built-in mail function, no external library/wrapper:

• You don't need anything outside of PHP.
• You don't need to learn a new API.
• You don't have to worry about a PHP upgrade or such breaking the script.
• You don't have to worry about an updated version not working on your PHP installation.
• You don't have to worry about potential security vulnerabilities as a result of using that script.
• If it's a simple task, you'll be done in a few minutes.

Advantages to using an external library/wrapper:

• If you need to introduce more complexity into your emailing, you can do so quite easily. Adding attachments, inline images and such are not much fun using PHP plain mail function. External libraries (at least the good ones) have a more OOPish API. Adding an attachment can be as easy as $message->addAttachment($file); without having to play around with headers, etc.
• External libraries better hide the ugly complexities of tasks such as adding attachments, character encodings and inline images.
• Using a library now will save you the hassle of having to learn it in the future when you do need the additional complexity/functionality.
• External libraries probably (I'm really not sure which ones, and to what extent) address certain vulnerabilities that PHP's mail does not.

If I can think of anything else, I'll be sure to add it.

Answer 2

This will maybe not really answer all your questions, but it won't hurt either, I guess...

Whatever you want to do, I would not go with mail() : sending a mail is not such an easy task, and using an existing library/framework will always be a good idea : it will solve many problems you probably have not even thought about -- even if you don't need to send lots of mails.

About your specific questions, maybe other answers will say something else and/or get your more informations, but any "good" library created to send mails should deal with those kind of problems... Else, you should probably search for another library ^^

Still, testing a couple of dumb non-addresses will allow you to be 100% sure ;-)

Another solution to be quite sure is to check the source of the library ;-)

In the source of version 2.2.1, you'll find stuff like this :

class.phpmailer.php, function AddAnAddress, line 413, you'll see this :

if (!self::ValidateAddress($address)) {
  $this->SetError($this->Lang('invalid_address').': '. $address);
  if ($this->exceptions) {
    throw new phpmailerException($this->Lang('invalid_address').': '.$address);
  }
  echo $this->Lang('invalid_address').': '.$address;
  return false;
}

And it seems this function is used by the other functions that add an address... So, I suppose there's some kind of email-addresses validation ;-)
That'll answer at least one of your questions ^^

PHPMailer is not the only solution that exists, btw ; there are plenty of others, like, for instance :

• Zend_Mail
• Rmail for PHP (Formerly known as HTML Mime Mail)
• Swift Mailer

Answer 3

As Pascal MARTIN mentioned, sending an email isn't as straight forward and easy as some people just assume it is. To answer your questions directly. Yes PHPMailer does do some validation, but it's not super-advanced, but should be enough for your uses. And PHPMailer will save you some time depending on what custom functions you will need. Some things to consider though:

• HTML vs plain text. If the emails are only ever going to you, this probably isn't as big of a deal. But if you're ever sending emails to your users (say a confirmation email) you want to be able to support both HTML and plain text clients. PHPMailer (and Zend_Mail) make this very easy to do.
• SMTP. This is another one that is really important if you're sending email to your users, but not so much if it's just an email to your self. Using php's regular mail() function the email will be sent via sendmail, which almost all *nix installs come with out of the box (especially servers). As a result, spam filters aren't very friendly towards it. If you have a regular SMTP server setup with a trusted MX record (or if you have a gmail account) you can send through that using SMTP, which will help reduce the chances of your mail being flagged as spam.

In addition to just PHPMailer Zend_Mail is a good one to check out to (it's part of the Zend Framework). However that may be a bit much for a simple contact form.