How to send an email to an address from my database?

Question

I have a form that sends email and this all works fine but now I want to send the email to an address that is stored in a mysql database but I can't figure out how to do this. No matter what I try to make '$to' in the mail script below semd to the variable pulled from the database it does not work. Can anyone tell what am I doing wrong? Thanks.

/// Get get recipients email address from database using id
$id= $_GET["id"];
$result = mysqli_query($conx, "SELECT email from mytable where id='$id'");
while($row = mysqli_fetch_array($result)) {
$to = $row["email"];
}

    if ($_GET["submit"]) {  
        $name =  htmlspecialchars($_GET['name']);
        $email = htmlspecialchars($_GET['email']);
        $message = $_GET['message'];
        $subject = 'Hello There';
        $body = "E-Mail: $email\n Message: $message";
        if (mail($to, $subject, $body)) {

        $result='<div class="alert alert-success">Your email has been sent</div>';
             }else{
        $result='<div class="alert alert-danger">Sorry there was an error sending your message.</div>';
    }
}
?>

what happens if you place die( $to ) after the if get submit. it should echo the to address to the screen and stop running. Plus the advice from Dan Revah below is correct . — Kris Zani, Mar 27 '15 at 12:40

score 1 · Accepted Answer · edited May 23 '17 at 12:14

1

You should try this way:

To secure this code from SQL INJECTION please read this article.

/// Get get recipients email address from database using id
$id= (int) $_GET["id"];
$result = mysqli_query($conx, "SELECT email from mytable where id='$id'");
$row = mysqli_fetch_array($result);
$to = $row["email"];


    if ($_GET["submit"]) {  
        $name =  htmlspecialchars($_GET['name']);
        $email = htmlspecialchars($_GET['email']);
        $message = $_GET['message'];
        $subject = 'Hello There';
        $body = "E-Mail: $email\n Message: $message";
        if (mail($to, $subject, $body)) {

        $result='<div class="alert alert-success">Your email has been sent</div>';
             }else{
        $result='<div class="alert alert-danger">Sorry there was an error sending your message.</div>';
    }
}
?>

edited May 23 '17 at 12:14

Community

1
1

answered Mar 27 '15 at 12:39

Istiak Tridip

199
1
14

He just ask how to do that. Not about security. – Istiak Tridip Mar 27 '15 at 12:50
1

But that's not an excuse to offer insecure code. A lot of users who see this will blindly copy and paste this code without knowing it's unsafe. Your answers should always be secure. – John Conde Mar 27 '15 at 12:52
I have updated my answer with a MYSQL INJECTION security related question. – Istiak Tridip Mar 27 '15 at 12:56
Thanks very much John Conde and Istiak Tridip for the replies and heads up about security. I've tried incorporating these changes but am still left with the same issue. The mail will not send if I try and use the variable (email address) taken from the database. I can see the variable is echoing fine on the page but it's like the mail () function can't see it. If I just change `$to='me@email.com';` it sends fine but not `$to = $row["email"];`Hope that makes sense, I would post the code here but it seems I've run out of characters. – JulianJ Mar 27 '15 at 17:17
I got this working, I had some code that was checking the users login status that was conflicting with the mail variables. Thanks. – JulianJ Mar 28 '15 at 09:25
If my answer worked for you don't forget to mark as correct. Because that will help other to solve there problem. Thank you. – Istiak Tridip Mar 29 '15 at 17:19

How to send an email to an address from my database?

1 Answers1