Generating automatic emails

Hi all
just been asking on the html forum if it is possible to record someones email address on a web page and then send them an email. They suggested that it would be best to use PHP, so i am asking the question here.
I want to have a box on the web page that people can enter their email address into and when they click send.
A standard email is then sent asking the person to confirm that they want to join the mailing list.
Now I understand that PHP can add the email address to the database, but can PHP generate the reply email and send it automatically?

DennisK
__________________
The one stop toy shop: www.toysofamerica.

Absolutely, that's the kind of thing php does best. I'd probably advise to learn enough php so that you know the basics, though, before you plug in a script.

It will also store the member's name and email address (password, shoe size, whatever) automatically in a database and generate the mailout to all members.

Is there a name for these types of script?

DennisK
__________________
The one stop toy shop: www.toysofamerica.

You could call it a 'mail' script if you like.

Seriously, you write the script to do what you need it to do.

Go to http://php.net and look at the 'mail' function as your starting point. But as Mason has already said, there is a lot more to it than that.

You need to consider validation, security from sql injection attacks, etc.

You've got some reading to do.

What is an "sql injection attack"?
DennisK
__________________
The one stop toy shop: www.toysofamerica.

An SQL injection attack is where a user of your form enters a piece of SQL code into it, and wraps it in special characters in such a way that the data entered doesn't get used for the purpose you had intended - it gets used to corrupt or destroy your database.

For example, if your form returns to $_REQUEST[message] and you write
INSERT into msgtab (message) values ("$_REQUEST[message]")
in your code, then without the appropriate precautions I could enter
Got you"); delete his database;
or words to that effect ... and that would be a nasty injection attack.

Note that most copies of PHP are configured with magic quotes on to insure against this kind of hole being left by newcomers to coding, and that my example - quite intentionally - doesn't exactly attack; rather, it shows the principle

WOW....this very, very bad.

I just want to see if I have this right.

I have an sql database on my server.

Now, no one can access this database unless they have the password.

But what your saying is, if I make a request for some data, and instead of someone inputing, for example their email address, they could put in some special code which when returned to the database gets stored.

But these charcters are so special that when the database gets to them it crashes the sql interpreter in such a manner that it could crash through the database and delete all your data.

Is that correct???

DennisK
__________________
The one stop toy shop: www.toysofamerica.

When u have learnt php, the normal method for email confirmation (correct me if i am wrong) is by adding the session id into the database with the email and send the address you want to confirm with the session id as a get command (after a "?sid=___________)" this would then add into the database (another field) that says the user wants to recieve emails and u only send to conformed ones.

OK ... let me clarify a couple of things:

1. If a web site and its applications are set up correctly, anyone can access a database that's there is the manner chosen by the programmer, and that's probably without knowing the password. Heck - we record the colour and font size requirements of our users chosen on one visit and remember them for their next visit ... and they don't even need to know there's a database there. The problems occur only when the programming isn't properly set up or well thought out and uers find a way of doing something beyond what is prudent.

2. On current defaults, PHP has something called "magic quotes" switched on, which means that if you don't know what you're doing you're unlikely to accidentally allow a MySQL injection attack. (If, however, you've added a stripslashes to get rid of irritating extra quotes you may have left yourself open).

In summary, there's an awful lot of sites out there (and a lot of awful sites) and they don't fall foul of injection attacks every day. It's something to learn about, be trained on, be aware of though ... as there are many flavours and varients.

Session ids are really a different subject ....

Graham, that's the first time I've ever heard that. So you advise leaving magic quotes enabled unless/until you are 100% competent in escape technique and theory?

Like me - I understand the basics of escapes in php/mysql but not enough to know what it is I don't know. Maybe I'll ensure magic quotes is enabled and take out all my stripslash modules.

Yes, unless you're confident in what you're coding, you should have magic quotes on. You can always striplslashes part of something you're echoing if you need to, though even that isn't the whole story. I've actually got quite a long piece that goes into this but it doesn't really fit the forum / question and answer format for pasting in here.