Leaderboard

that's not the correct call-time parameter usage for the msyqli_select_db() statement. the correct usage can be found in the php.net documentation. you can also select the database when you make the connection now, so there's generally no need to use a separate select db statement. if you arrived at this point by trying to convert old mysql_ based code to use the mysqli extension, simply by adding an 'i' to the function calls, this does not work. you must actually learn the correct usage for the mysqli statements. if you are converting old mysql_ based code, it is simpler and much better to skip over using the mysqli extension and use the PDO extension, because a huge problem with converting old code is the lack of security against sql special characters in data values breaking the sql query syntax, which is how sql injection is accomplished. the simplest way of adding security for all data types is to use a prepared query, which is very simple with the PDO extension, but more complicated and inconsistently handled with the mysqli extension.

firstly, these emails are NOT being sent from the email address that is entered in the form. they are being sent from the mail server at your web hosting and the From: and Return-path: email addresses must correspond to your web hosting. you can use the submitted email address as the Reply-to: address, after validating that it is exactly and only a validly formatted email address (checking that it contains an @ and a . is not sufficient.) your code is open to mail header injection, so, a bot script can basically build an email with anything and send it to any email address. the spam emails you are receiving are just the copy being sent to your To: email address. you MUST validate all inputs before using them. for the entered email address, after you have trimmed and validated that it is not an empty string, use php's filter_var with the FILTER_VALIDATE_EMAIL flag (do NOT use the FILTER_SANITIZE_EMAIL flag as it alters the value.) if the entered email address passes all the validation, use it in the Reply-to: mail header.