Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial


Colin van Wyk
Colin van Wyk
8,258 Points

Escaping Output on Email Form

I watched Alena Holligan PHP Library course to get my HTML form on another HTML file to work so that users submit a form that sends the input values to me in an email body. I don't want to continue because I'm scared my form is not secure enough as is. I'm not using the $_POST method to output back to the browser so I've sanitized the inputs, but I'm completely baffled as to where I'm supposed to use htmlspecialchars() to escape out all of the fields in my form. Could anyone please shed some light on this newby code?

My HTML code:

<form method="post" action="process.php" id="form"> 

          <h3>READY TO ORDER?</h3>


            <legend><span class="number">1</span> Please enter your details:</legend>

          <label for="name">Name &amp; Surname: *required</label>
          <input type="text" id="name" name="name">

          <label for="email">Email: *required</label>
          <input type="email" id="email" name="email">

          <label>Choose your design option: *required</label>
          <select id="prepared" name="userPrep">

            <option value="New Logo">NEW LOGO</option>
            <option value="Fix Logo">FIX LOGO</option>
            <option value="Logo Plus">LOGO PLUS</option>



          <fieldset class="fieldset2">

            <legend><span class="number">2</span> About the Design:</legend>

          <label for="prepared">What information can you supply? *required</label>
          <select id="prepared" name="userPrep">

            <optgroup label="FOR NEW LOGO">
              <option value="Nothing to supply">I must start from scratch</option>
              <option value="Some ideas or samples">I have some ideas and samples</option>
              <option value="Many ideas">I have plenty ideas or research</option>
            <optgroup label="FOR FIX LOGO">
              <option value="Piture available">I have a drawing of what I want to be setup</option>
              <option value="Design file available">I already have digital file that must be edited</option>
            <optgroup label="FOR LOGO PLUS">
              <option value="Brand new CI required">I need an entirely new Corporate Identity</option>
              <option value="Existing logo, wants extras">I have a logo, just need some extras</option>


          <label for="specifics">Anything specific you'd like us to know? (optional)</label>
          <textarea id="specifics" name="userSpecified"></textarea>

          <div style="display:none">
            <label for="address">Address:</label>
            <input type="text" id="address" name="address" />
            <p>Please leave this field blank.</p>

          <div class="submitBtn">
            <button type="submit">SUBMIT FOR QUOTE</button>

And my PHP code:


//Import the PHPMailer class into the global namespace
use PHPMailer\PHPMailer\PHPMailer;
require 'vendor/phpmailer/src/PHPMailer.php';
require 'vendor/phpmailer/src/Exception.php';
require 'vendor/phpmailer/src/SMTP.php';

  $name = trim(filter_input(INPUT_POST,"name",FILTER_SANITIZE_STRING));
  $email = trim(filter_input(INPUT_POST,"email",FILTER_SANITIZE_EMAIL));
  $designOption = trim(filter_input(INPUT_POST,"designOption",FILTER_SANITIZE_STRING));
  $userPrep = trim(filter_input(INPUT_POST,"userPrep",FILTER_SANITIZE_STRING));
  $userSpecified = trim(filter_input(INPUT_POST,"userSpecified",FILTER_SANITIZE_SPECIAL_CHARS));
  $error_message = header("location:error.php");

if ($name == "" || $email == "") {

if ($_POST["address"] != "") {

if (!PHPMailer::validateAddress($email)) {

//echo "<pre>";
$email_body = "";
$email_body .= "Name: " . $name . "\n";
$email_body .= "Email Address: " . $email . "\n";
$email_body .= "Design Option: " . $designOption . "\n";
$email_body .= "User Preparedness: " . $userPrep . "\n";
$email_body .= "User Comments: " . $userSpecified . "\n";
//echo $email_body;
//echo "</pre>";

        $mail = new PHPMailer;
//        $mail->isSMTP();
//        $mail->Host = 'localhost';
//        $mail->Port = 2500;
//        $mail->CharSet = 'utf-8';
        //It's important not to use the submitter's address as the from address as it's forgery,
        //which will cause your messages to fail SPF checks.
        //Use an address in your own domain as the from address, put the submitter's address in a reply-to
        $mail->setFrom('order@example.com', $name);
        $mail->addReplyTo($email, $name);
        $mail->addAddress('quote@example.com', 'Colin');
        $mail->Subject = 'Quote Request from ' . $name;
        $mail->Body = $email_body;
        if (!$mail->send()) {
            echo "Mailer Error: " . $mail->ErrorInfo;