So, you want to send automated email messages from your PHP application. This can be in direct response to a user’s action, such as signing up for your site, or a recurring event at a set time, such as a monthly newsletter. Sometimes email contains file attachments, both plain text and HTML portions, and so on. To understand how to send each variation that may exist on an email, we will start with the simple example and move to the more complicated.

• Sending a Simple Text Email
• Sending HTML Email
• Sending Email with Attachments

Note that to send email with PHP you need a working email server that you have permission to use: for Unix machines, this is often Sendmail; for Windows machines, you must set the SMTP directive in your php.ini file to point to your email server.

Sending a Simple Text Email

At first let’s consider how to send a simple text email messages. PHP includes the mail() function for sending email, which takes three basic and two optional parameters. These parameters are, in order, the email address to send to, the subject of the email, the message to be sent, additional headers you want to include and finally an additional parameter to the Sendmail program. The mail() function returns True if the message is sent successfully and False otherwise. Have a look at the example:

As you can see, it very easy to send an email. You can add more receivers by either adding their addresses, comma separated, to the $to variable, or by adding cc: or bcc: headers. If you don’t receive the test mail, you have probably installed PHP incorrectly, or may not have permission to send emails.

Back to top

Sending HTML Email

The next step is to examine how to send HTML email. However, some mail clients cannot understand HTML emails. Therefore it is best to send any HTML email using a multipart construction, where one part contains a plain-text version of the email and the other part is HTML. If your customers have HTML email turned off, they will still get a nice email, even if they don’t get all of the HTML markup. Have a look at the example:

In the preceding example we add one additional header of Content-type:multipart/alternative and boundary string that marks the different areas of the email. Note that the content type of the message itself is sent as a mail header, while the content types of the individual parts of the message are embedded in the message itself. This way, mail clients can decide which part of the message they want to display.

Sending Email with Attachment

The last variation that we will consider is email with attachments. To send an email with attachment we need to use the multipart/mixed MIME type that specifies that mixed types will be included in the email. Moreover, we want to use multipart/alternative MIME type to send both plain-text and HTML version of the email. Have a look at the example:

As you can see, sending an email with attachment is easy to accomplish. In the preceding example we have multipart/mixed MIME type, and inside it we have multipart/alternative MIME type that specifies two versions of the email. To include an attachment to our message, we read the data from the specified file into a string, encode it with base64,  split it in smaller chunks to make sure that it matches the MIME specifications and then include it as an attachment.

• Reading the Contents of a Directory
• Deleting the Directory and Its Contents
• Creating New Directories

Reading the Contents of a Directory

Let’s start with simple listing the contents of a directory. We need three functions to perform this task: opendir(), readdir() and closedir(). The opendir() function takes one parameter, which is the directory we want to read, and returns a directory handle to be used in subsequent readdir() and closedir() calls. opendir() returns False if the directory could not be opened.

The readdir() function takes one parameter, which is the handle that opendir() returned and each time we call readdir() it returns the filename of the next file in the directory. readdir() returns False if the end of the directory has been reached. Note that readdir() returns only the names of its items, rather than full paths.

The example below creates a select box that lists all the files in a directory. Copy and paste this code and save it as index.php in a directory you wish do display all files for. It automatically excludes itself from the list, and is easy to modify to make it ignore other files as well:

First, we open the directory for reading with the opendir() function and use a while statement to loop through each of its entries. We call readdir() as part of the while statement’s test expression, assigning its result to the $fname variable. We are explicitly testing whether the return value is equal to and of the same type as False since otherwise, any directory entry whose name evaluates to False will stop the loop prematurely. Within the body of the while statement, we check if the file is not this file, and does not start with a . (current directory) or .. (parent directory) and then store the file name into the $files array. We also do one more check. If a full file path leads to a directory then we add to the file name “(Dir)”.

There is another way to iterate over all files in a directory. PHP 5 has a set of objects called iterators. Iterators help eliminate problems in your code. For instance, PHP 5 provides a DirectoryIterator:

This example produces the same results as the earlier code that uses the directory functions, but this code is shorter and safer because you cannot forget the !== = comparison.

Back to top

Deleting the Directory and Its Contents

PHP has the rmdir( ) function that takes a directory name as its only parameter and will remove the specified directory from the file system, if the process running your script has the right to do so. However, the rmdir() function works only on empty directories. The example below deletes empty directory named “temporary”:

If you want to delete non-empty directory, you should use the recursion. In the following example we create recursive function named deleteDir() that takes a directory name as a parameter and will go through each subdirectory, deleting files as they go. When the directory is empty, we use rmdir() to remove it.

Another way to delete non-empty directory is to use RecursiveDirectoryIterator and RecursiveIteratorIterator. The RecursiveIteratorIterator must be told to provide children (files and subdirectories) before parents with its CHILD_FIRST constant. Have a look at the code:

Note: The CHILD_FIRST constant was added with PHP 5.1

Back to top

Creating New Directories

Creating new directories in PHP is accomplished using the mkdir() function, which takes two parameters. These parameters are, in order, a directory name you want to create and a permission mode for a new directory, which must be an octal number. The mode parameter is optional and has an effect only on Unix systems. Have a look at the example:

By default, the mkdir() function only creates a directory if its parent exists. In PHP 5 the recursive parameter was added which should be true or false, depending on whether you want to create parent directories or not. In the following example, we pass true as a third parameter to mkdir(), so this makes the function act recursively to create any missing parent directories.

For our example below lets assume that our DSN points to an Access database called ‘examples.mdb’ and that we will be selecting records from the table ‘cars’.

Remember that ‘myDSN’ above is name of the DSN. Also note that you can change the table name from ‘cars’ to the name of your table and point the DSN to whatever database you like. One other thing to remember is that you can set up a DSN on your own machine though if you are using a hosting company you may have to ask the webmaster.

DSN-less connection

DSN-less connections don’t require creation of system level DSNs for connecting to databases and provide an alternative to DSNs. We will now see how to connect to a database via PHP using Connection String in place of DSN name.

There are a number of reasons to restrict access. One reason is security. Quite often users try to guess login and password combination to get unauthorized access to the system. Another reason is extra load on server.

So let’s start. At first you need to create a new table in your database to store information about login attempts from a certain computer. SQL script creating such table in MySQL Server will be the following. For other databases it will slightly differ.

It is assumed that you have already had an authorization page. Otherwise you can create it using PHP, SSI, and similar languages. There are no major difficulties in writing this program (script).

Authorization page should work with two tables: one table where information about registered users is stored and the other one where unsuccessful login attempts are listed.
Before verifying entered data, system has to check if the user exceeded attempts limit or not. If in the LoginAttempts table there are more than two records correspondent to one IP address, then error message will appear saying that access is blocked for a certain period of time. You can set time period at your discretion. Depending on your security policy it can vary from 1 minute to 24 hours or more. In the following example access will be blocked for 30 minutes.

If attempts limit has not been reached, then the system will check, if the data entered are correct. If the data are verified, information about previous attempts is deleted, and for the next authorization user again will have three login attempts.

You can test this login system online or download completed php scripts and try to use them on your site.

What is “secure,” anyway? Realize that the data in your database is not safe. What if the password to the database is compromised? Then your entire user password database will be compromised as well. Even if you are quite certain of the security of your database, your users’ passwords are still accessible to all administrators who work at the Web hosting company where your database is hosted. Scrambling the passwords using some home-brewed algorithm may add some obscurity but not true “security.” Another approach would be to encrypt all passwords in your database using some industry-standard cipher, such as the Message-Digest Algorithm 5 (MD5).

MD5 encryption is a one-way hashing algorithm. Two important properties of the MD5 algorithm are that it is impossible to revert back an encrypted output to the initial, plain-text input, and that any given input always maps to the same encrypted value. This ensures that the passwords stored on the server cannot be deciphered by anyone. This way, even if an attacker gains reading permission to the user table, it will do him no good.

MD5 does have its weaknesses. MD5 encryption is not infallible: if the password is not strong enough, a brute force attack can still reveal it. So, you can ask: “Why should I use MD5 if I know it is not the most secure?” The answer is fairly straightforward: it’s fast, it’s easy, and it can be powerful if salted. The greatest advantage of MD5 is its speed and ease of use.

It is vitally important to understand that password encryption will not protect your website, it can protect your passwords only. If your website does not have sufficient protection, password encryption will not make it safe from cracking. If your system has been cracked, a hacker can inflict a irreparable damage to it and also gain an access to confidential information, including passwords database. But if you store this information encrypted, hackers practically cannot make use of it. Cracking an encrypted password takes a large amount of time and processing power, even on today’s computers.

So, let’s start. First of all, you need to add a new account to your database. The following code allows to do it.

Now, when a new user completes the registration form, his password will be encrypted automatically.

After that we should write code that validates a given username/password pair.

And what if you already have users’ database ready and want to start using encrypted passwords? To do it, you need to write encypt.php script with the following code and run it in your browser.

CAPTCHA is a simple test to determine if a user is a computer or a human. It is used to prevent spam abuse on the websites. So if you use CAPTCHA on your web site forms, this can help in stopping some bots and making life harder for other bots in accessing or using your forms.

In brief the CAPTCHA protection works by generating a random string, writing it to an image, then storing the string inside of a session or by some other method. This is then checked when the form is submitted.

The goal of this tutorial is to demonstrate how to make your own simple CAPTCHA protection using PHP and AJAX technologies.

This tutorial is very simple, but if you are unfamiliar with PHP and AJAX this is a great place to start. The tutorial consists of a HTML page for presenting a simple form that will send the data, a JavaScript file for handling the Ajax functionality, and a simple PHP page that makes the actual comparison of the what is in the text box compared to what phrase was stored in the image.

• The AJAX HTML Page (the Front-end)
• The JavaScript
• The PHP Server Page (the Backend)
• The Ways to Make It More Secure

The AJAX HTML Page (the Front-end)

The front-end of this tutorial is straight forward. We are going to create a simple HTML form with a textbox for entering the security code, dynamically generated image holding this code, a button for submitting, and a DIV that we will display the CAPTCHA test result. The following example shows how you can do that. Create a new file named captcha_test.htm, and add this code to it.

After the textbox and the button we have added the result DIV. We have given it an ID so we can address it through the DOM in our JavaScript. It can easily be a SPAN or any other HTML element that can contain text. The button onclick event will start the AJAX request to the server to make the comparison.

Below is a php script that generates the CAPTCHA image and set a session that stores the security code. Create a new file named create_image.php, and add this code to it.

If you view create_image.php in a browser, you should see a new JPEG image every time you refresh the page. You should see the black box with some letters and numbers on it. For more details how to create images on the fly read our tutorial Dynamic Image Generation.

The last we have to do is to include the JavaScript file that we will create on the next step.

Back to top

The JavaScript

The JavaScript will be placed in an external file called ajax_captcha.js. Let’s look into the JavaScript code.

The first function simply returns a browser specific XmlHttpRequest object. Unfortunately AJAX is supported slightly differently in IE than it is Safari, Opera and Mozilla-based browsers like Firefox. Microsoft Internet Explorer uses an Active X object while Mozilla and Safari use a native object.

The next step we will create our XmlHttpRequest object that we can use to make the requests.

After that we create a function that will make the AJAX request. This function gets two parameters: the url to send to the server and a parameter to the url with the content of the input field.

At first we check if our XmlHttpRequest object is ready to make a request. If our readystate is either not started or finished then we initiate a new request. Next we open the connection to our server PHP page with the appended querystring and mark it as a “POST” request. After that we add HTTP headers to the request so that the server processes the request correctly. The next line defines the updatePage() function that will be called when we recieve the AJAX response. Finally, we actually send the request to the server.

The updatePage() function executes every time the state of the XmlHttpRequest object changes.

At first we need to make sure our response is ready. If it is, then the content of the DIV element is filled with the response text and the CAPTCHA image is changed. One other thing you must remember you must have different names for each image. For that purpose we use the random() function.

The last function will be called every time the form is submitted. It gets the value from the text box, sets the url and passes them as a parameters to makeRequest() function.

That’s all. If we open our page, type the security code into the text box and click the button, our DIV element will read the CAPTCHA test result without having to refresh the page.

Back to top

The PHP Server Page (the Backend)

The server-side PHP file will make the actual comparison and return the result. This is very simple PHP page that only prints the result of the CAPTCHA test. You can add needed functionality yourselves. For example, if your HTML form will contain some other fields, you can send their data using the POST method and then output the data on the screen or add it into the database for further use.

The session_start() simply continues the session. Then it’s just a simple text matching which is done by the if statement. If the input text matches the stored text then the success message displayed, otherwise error message. If someone is trying to outwit you, then you should probably use a more secure way besides storing the security code in a session or a cookie that always has the same name. As an example you can store this data in MySQL database.

Create a new file named captcha.php, and add the code from the preceding example to it. And that’s all for the server-side.

The Ways to Make It More Secure

You can see how it is easy to use PHP with Ajax technologies. This is very simple CAPTCHA test you can use but I’m sure you will think how to make it more powerful, robust and secure. In conclusion I just want to suggest some several things you can do to make it more secure:

• Rotate the text randomly
• Add random spaces in between characters
• Use a TTF fonts and change the font randomly every time
• Use a random text and image size every time
• Use more advanced text distortion and colors
• Move the lines randomly
• Store the password in a random cookie

One of the frequent problems is defining visitor’s screen resolution using JavaScript tools and passing this data to PHP-script. The following script provides solution for this problem:

Copy and paste this code snippet in the text editor, save it as index.htm and run it in your browser. After this code has been executed, a user is automatically redirected to the main.php page where screen resolution is displayed in the browser window.

The main.php looks as follows:

As you can see, passing JavaScript variables in PHP is similar to sending data using GET method.

This tutorial will describe how to create thumbnail images on the fly using PHP. Furthermore you will learn how to process a whole folder of images and create their thumbnails. Since this requires the GD library, you will need an installation of PHP with at least GD 2.0.1 enabled.

Below we will create a PHP script that contains two functions. The first one scans a provided directory for any .JPG images and, for each one, creates a thumbnail in the specified folder using the GD image functions. The second function creates an HTML file in the same directory as the script, which contains all of the thumbnails with links to the original images. This could be the basis of advanced photo gallery software.

The code below creates a function named createThumbs that will get three parameters. The first and the second is correspondingly the path to the directory that contains original images and the path to the directory in which thumbnails will be placed. The third parameter is the width you want for the thumbnail images.

At first we open the directory with images and iterate through it, looking for all .JPG files. Next we create thumbnails for each image in the directory. To create a thumbnail, we read in the file using the imagecreatefromjpeg() function and calculate the new thumbnail size. imagesx() and imagesy() functions return the width and height of the image respectively. Next we create a new image using the imagecreatetruecolor(). Finally, we copy and resize the original file with the imagecopyresized() function and save thumbnail with imagejpeg().

The second part of the code creates the function named createGallery which gets two parameters (the relative paths to the directories in which images and thumbnails are stored) and creates an HTML page which contains all of the thumbnails with links to the original images.

First, we open the directory with thumbnails. Next we iterate through files in the directory and put the HTML into a string variable. The variable contents then written into a file using fopen(), fwrite(), and fclose() functions.

As you can see, adding on the fly generated thumbnails to your website with GD library and PHP is quite easy to accomplish.

This tutorial gives a brief overview of basic regular expression syntax and then considers the functions that PHP provides for working with regular expressions.

• The Basics
• Matching Patterns
• Replacing Patterns
• Array Processing

PHP supports two different types of regular expressions: POSIX-extended and Perl-Compatible Regular Expressions (PCRE). The PCRE functions are more powerful than the POSIX ones, and faster too, so we will concentrate on them.

The Basics

In a regular expression, most characters match only themselves. For instance, if you search for the regular expression “foo” in the string “John plays football,” you get a match because “foo” occurs in that string. Some characters have special meanings in regular expressions. For instance, a dollar sign ($) is used to match strings that end with the given pattern. Similarly, a caret (^) character at the beginning of a regular expression indicates that it must match the beginning of the string. The characters that match themselves are called literals. The characters that have special meanings are called metacharacters.

The dot (.) metacharacter matches any single character except newline (\). So, the pattern h.t matches hat, hothit, hut, h7t, etc. The vertical pipe (|) metacharacter is used for alternatives in a regular expression. It behaves much like a logical OR operator and you should use it if you want to construct a pattern that matches more than one set of characters. For instance, the pattern Utah|Idaho|Nevada matches strings that contain “Utah” or “Idaho” or “Nevada”. Parentheses give us a way to group sequences. For example, (Nant|b)ucket matches “Nantucket” or “bucket”. Using parentheses to group together characters for alternation is called grouping.

If you want to match a literal metacharacter in a pattern, you have to escape it with a backslash.

To specify a set of acceptable characters in your pattern, you can either build a character class yourself or use a predefined one. A character class lets you represent a bunch of characters as a single item in a regular expression. You can build your own character class by enclosing the acceptable characters in square brackets. A character class matches any one of the characters in the class. For example a character class [abc] matches a, b or c. To define a range of characters, just put the first and last characters in, separated by hyphen. For example, to match all alphanumeric characters: [a-zA-Z0-9]. You can also create a negated character class, which matches any character that is not in the class. To create a negated character class, begin the character class with ^: [^0-9].

The metacharacters +, *, ?, and {} affect the number of times a pattern should be matched. + means “Match one or more of the preceding expression”, * means “Match zero or more of the preceding expression”, and ? means “Match zero or one of the preceding expression”. Curly braces {} can be used differently. With a single integer, {n} means “match exactly n occurrences of the preceding expression”, with one integer and a comma, {n,} means “match n or more occurrences of the preceding expression”, and with two comma-separated integers {n,m} means “match the previous character if it occurs at least n times, but no more than m times”.

Now, have a look at the examples:

Perl-Compatible Regular Expressions emulate the Perl syntax for patterns, which means that each pattern must be enclosed in a pair of delimiters. Usually, the slash (/) character is used. For instance, /pattern/.

The PCRE functions can be divided in several classes: matching, replacing, splitting and filtering.

Back to top

Matching Patterns

The preg_match() function performs Perl-style pattern matching on a string. preg_match() takes two basic and three optional parameters. These parameters are, in order, a regular expression string, a source string, an array variable which stores matches, a flag argument and an offset parameter that can be used to specify the alternate place from which to start the search:

The preg_match() function returns 1 if a match is found and 0 otherwise. Let’s search the string “Hello World!” for the letters “ll”:

The letters “ll” exist in “Hello”, so preg_match() returns 1 and the first element of the $matches variable is filled with the string that matched the pattern. The regular expression in the next example is looking for the letters “ell”, but looking for them with following characters:

Now let’s consider more complicated example. The most popular use of regular expressions is validation. The example below checks if the password is “strong”, i.e. the password must be at least 8 characters and must contain at least one lower case letter, one upper case letter and one digit:

The ^ and $ are looking for something at the start and the end of the string. The “.*” combination is used at both the start and the end. As mentioned above, the .(dot) metacharacter means any alphanumeric character, and * metacharacter means “zero or more”. Between are groupings in parentheses. The “?=” combination means “the next text must be like this”. This construct doesn’t capture the text. In this example, instead of specifying the order that things should appear, it’s saying that it must appear but we’re not worried about the order.

The first grouping  is (?=.*{8,}). This checks if there are at least 8 characters in the string. The next grouping (?=.*[0-9]) means “any alphanumeric character can happen zero or more times, then any digit can happen”. So this checks if there is at least one number in the string. But since the string isn’t captured, that one digit can appear anywhere in the string. The next groupings (?=.*[a-z]) and (?=.*[A-Z]) are looking for the lower case and upper case letter accordingly anywhere in the string.

Finally, we will consider regular expression that validates an email address:

This regular expression checks for the number at the beginning and also checks for multiple periods in the user name and domain name in the email address. Let’s try to investigate this regular expression yourself.

For the speed reasons, the preg_match() function matches only the first pattern it finds in a string. This means it is very quick to check whether a pattern exists in a string. An alternative function, preg_match_all(), matches a pattern against a string as many times as the pattern allows, and returns the number of times it matched.

Back to top

Replacing Patterns

In the above examples, we have searched for patterns in a string, leaving the search string untouched. The preg_replace() function looks for substrings that match a pattern and then replaces them with new text. preg_replace() takes three basic parameters and an additional one. These parameters are, in order, a regular expression, the text with which to replace a found pattern, the string to modify, and the last optional argument which specifies how many matches will be replaced.

The function returns the changed string if a match was found or an unchanged copy of the original string otherwise. In the following example we search for the copyright phrase and replace the year with the current.

In the above example we use back references in the replacement string. Back references make it possible for you to use part of a matched pattern in the replacement string. To use this feature, you should use parentheses to wrap any elements of your regular expression that you might want to use. You can refer to the text matched by subpattern with a dollar sign ($) and the number of the subpattern. For instance, if you are using subpatterns, $0 is set to the whole match, then $1, $2, and so on are set to the individual matches for each subpattern.

In the following example we will change the date format from “yyyy-mm-dd” to “mm/dd/yyy”:

We also can pass an array of strings as subject to make the substitution on all of them. To perform multiple substitutions on the same string or array of strings with one call to preg_replace(), we should pass arrays of patterns and replacements. Have a look at the example:

In the above example we use the other interesting functionality - you can say to PHP that the match text should be executed as PHP code once the replacement has taken place. Since we have appended an “e” to the end of the regular expression, PHP will execute the replacement it makes. That is, it will take strtoupper(name) and replace it with the result of the strtoupper() function, which is NAME.

Back to top

Array Processing

PHP’s preg_split() function enables you to break a string apart basing on something more complicated than a literal sequence of characters. When it’s necessary to split a string with a dynamic expression rather than a fixed one, this function comes to the rescue. The basic idea is the same as preg_match_all() except that, instead of returning matched pieces of the subject string, it returns an array of pieces that didn’t match the specified pattern. The following example uses a regular expression to split the string by any number of commas or space characters:

Another useful PHP function is the preg_grep() function which returns those elements of an array that match a given pattern. This function traverses the input array, testing all elements against the supplied pattern. If a match is found, the matching element is returned as part of the array containing all matches. The following example searches through an array and all the names starting with letters A-J:

• MS Word document
  • Using HTTP headers
  • Using COM objects
  • Using OpenOffice templates
  • Using Zend Framework component phpLiveDocx
• MS Excel document
  • Using HTTP headers
  • Using COM objects
• CSV file
  • Using HTTP headers
  • Using fputcsv()

How to create MS Word document

Method 1 – Using HTTP headers

In this method you need to format the HTML/PHP page using Word-friendly CSS and add header information to your PHP script. Make sure you don’t use external style sheets since everything should be in the same file.

As a result user will be prompted to download a file. This file will not be 100% “original” Word document, but it certainly will open in MS Word application. You can use this method both for Unix and Windows environments.

As you may note, the formatting capabilities are limited here.

Back to top

Method 2 – Using COM objects

Note that the server running the code stated below must have MS Word installed. COM will work on Windows only.

Word document is saved to the temporary directory and then sent to the browser via readfile() function.

Back to top

Method 3 – Using OpenOffice templates

1. Create manually an ODT template with placeholders, like [%value-to-replace%].
2. When instantiating the template with real data in PHP, unzip the template ODT (it’s a zipped XML), and run against the XML the textual replace of the placeholders with the actual values.
3. Zip the ODT back.
4. Run the conversion ODT -> DOC via OpenOffice command line interface.

There are tools and libraries available to ease each of those steps.

Method 4 – Using Zend Framework component phpLiveDocx

One of the ways to create DOC files in Linux using PHP is to use the Zend Framework component phpLiveDocx. It allows developers to generate documents by combining structured data from PHP with a template, created in a word processor. The resulting document can be saved as a PDF, DOCX, DOC or RTF file. The concept is the same as with mail-merge.

PhpLiveDocx is completely free to download and use. For more information, please take a look at http://www.phplivedocx.org/articles/brief-introduction-to-phplivedocx/.

Back to top

How to create MS Excel document

Method 1 – Using HTTP headers

As described for the MS Word, you need to format the HTML/PHP page using Excel-friendly CSS and add header information to your PHP script.

Back to top

Method 2 – Using COM objects

Note that the server running the code stated below must have MS Excel installed.

We use the same approach as for MS Word with saving a file to the temporary directory first.

Back to top

How to create a CSV file

Method 1 – Using HTTP headers

As in the examples for the Word and Excel, you need to add header information to your PHP script.

The code snippet below creates a CSV file of the specified table including its column names. Then user will be prompted to download this file.

Back to top

Method 2 – Using fputcsv()

The fputcsv() function formats a line as CSV and writes it to an open file. For more information, take a look at http://php.net/manual/en/function.fputcsv.php.

The code snippet below creates a CSV file of the specified table including its column names and sends it to the browser.