Contact Form Processing Products - for all your needs

FormMail • Form Encryption • Hosted Forms

FormMail Version History


This pages lists the complete version history of Tectite FormMail.

Originally, the version history was kept in the downloaded formmail.php file. However, in the interests of making the script smaller and more manageable, we've moved the version history to this page.

As you will see, Tectite FormMail has never stopped improving since its first website use in 2002 (first public release was 2003)!

The newest versions are shown first, with the latest "official" release at the top.

Version 10 (PHP 8+ only)

Version 10.03: 9-Dec-2022

Adds support for using a different "mail" function instead of the PHP built-in "mail" function.

Fixes a bug when using HttpPost with array data.

Version 10.02: 16-Aug-2022

Fixes some rare bugs, and supports older language packs.

Version 10.00: 5-Mar-2022

This is the first release of FormMail that supports PHP 8.

Also added new features to support problems with DNS validation of email address. The new settings are: EMAIL_VALIDATION_MAX_MONITORING_TIME_SECS & ALERT_ON_EMAIL_VALIDATION_FAILED.

Version 9 (PHP 5+ only)

Version 9.27: 10-Dec-2022

Adds support for using a different "mail" function instead of the PHP built-in "mail" function.

Fixes a bug when using HttpPost with array data.

Version 9.26: 12-Jan-2022

The ATTACK_DETECTION_URL_PATTERNS setting has been upgraded to recognize all current top level domains.

This means better detection for attacks that include URLs.

When you upgrade, your existing value will be replaced, so if you've made your own changes, you will have to manually copy your changes back into the upgraded file.

Version 9.25: 25-Sep-2021

The code has been updated in a few places to be more robust with later versions of PHP (e.g. PHP 7.3 & 7.4). This improvement particularly affects the use of Hook Scripts such as "".

Adds new TEST_PASSWORD setting to allow you prevent annoying (but harmless) attacks on your FormMail.

Version 9.24: 11-Sep-2021

Fixes a bug in version 9.23 whereby it generated an error if the "email" special field was empty. This happened for some customers who don't populate or derive the "email" field.

Version 9.23: 21-Aug-2021

  • Now performs fundamental checks on the email address field. New setting VALIDATE_EMAIL_DOMAIN controls whether the domain name is confirmed to have MX records.
  • Uses FIXED_SENDER for autoresponses.
  • Adds new FromName feature for autoresponses.
  • Junk detection now automatically ignores some technical fields.
  • Support for some additional hook scripts.
Do not use version 9.23. Use version 9.24 instead.

Version 9.22: 26-Jun-2021

Fixes some bugs triggered by recent versions of PHP. In particular with recognising conditions1, conditions2, fmcompute1, fmcompute2, and similar fields.

Version 9.21: 7-Dec-2020

Fixes bug in derive_fields (bug appeared v9.16).

Thanks to Ewen P for reporting this problem!

Version 9.20: 29-Nov-2020

Prevents deprecation error when used with PHP 7.4+.

Version 9.19: 8-Jul-2020

Eliminates error reports for derive_fields if you have ATTACK_DETECTION_IGNORE_ERRORS set.

Version 9.18: 19-Apr-2020

Fixed a bug in URL attack counting your own urls.

Version 9.17: 6-Nov-2018

Fixed bugs in testing "conditions" and loading error messages.

Add new hook script support - - to provide custom code execution on script exit.

Added support for complex PHP version numbers.

Now produces useful error messages if an uploaded file is larger than the configured size for PHP.

Added more URL patterns to detect more spam with that feature.

URL attack doesn't count your own urls.

SET_SENDER_FROM_EMAIL is no longer supported as it can be utilized by spammers.

Some internal code improvements including updates for recent PHP versions.

Version 9.15: 2-Dec-2017

More fixes for reCaptcha v2 (hopefully permanent).

Eliminates alert message from derive_fields errors when ATTACK_DETECTION_IGNORE_ERRORS is set to true.

Detect PHP version 5.6.0 and use peer_name instead of SNI_server_name.

Adds support for HTML5 field types (you should also upgrade to FMBadHandler version 1.23.)

URL counts for spam detection now exclude your own domain if configured in the SITE_DOMAIN setting.

Bug fix in some error messages.

Version 9.14: 19-Aug-2016

Early in August 2016, Google broke reCaptcha v2. About a week later it started working again, but not for everyone. This version of FormMail re-implements reCaptcha adhering strictly to the documentation provided. Check the How-To guide for changes to MAXSTRING that may be required (Fourth Step).

This version also ignores more types of spam when sending alerts.

Version 9.13: 18-Feb-2016

Different versions of PHP have trouble contacting the reCaptcha server. This version of FormMail hopefully works around the bugs in all the PHP versions.

Version 9.12: 5-Feb-2016

Work around a problem with reCaptcha v2 on some versions of PHP. Improved error reporting for conditions. Some code improvements.

Version 9.10: 10-Jan-2015

Implements version 2 of reCaptcha.

Version 9.09: 18-Nov-2014

Improves support for Ajax submission: allowing captcha errors to be reported via JavaScript.

Version 9.08: 23-Jun-2014

If you use FormMail's Hook System to include your own PHP functions, you can now call these using the "derive_fields" feature.

Version 9.07: 15-Jun-2014

Fixes a bug in handling $SOCKET_FILTERS. This bug was created during the transition from version 8 to version 9. Therefore, the bug does not exist in the version 8 series.

Version 9.06: 16-Feb-2014

Added explicit timezone setting to avoid PHP notices.
Interrogates session.use_only_cookies to control the appending of SESSION IDs to URLs. This avoids server errors with some servers.

Version 9.05: 7-Feb-2014

Versions 9.00 to 9.04 were beta releases only.

Support for PHP 5 only (PHP 4 is not supported by version 9 and above.)
Significant code refactoring.
All configuration settings are now variables - all settings that were constants have been converted to variables.
Removes duplicate isEmpty tests.
Code reformatting for new code style.
Added new hook script support:
Added more hook scripts for multi-page form processing.
Added "substr" derive_fields feature.

Version 8 (PHP 4 only)

Version 8.36: 17-Jul-2012

Improved Ajax form support, including CORS and improved error reporting. Formval.js version 6 or later is designed to work with FormMail 8.36.

Version 8.35: 4-Jul-2012

Implements additional hook functions. Now checks for active session before destroying it (can prevent unnecessary warnings).

Fixed bug which may prevent opening templates by URL and multipage form processing, on some servers.

Version 8.34: 13-Jun-2012

Fixes a bug in encoding header lines. Prior to this version FormMail was leaving spaces un-encoded (for readability) but this was incorrect according to RFC 2047. Thanks for Frank Hoffmann for the detailed bug report.

Version 8.33: 20-Mar-2012

This release rectifies the incorrect release of version 8.31.

Improved Ajax support and implementation.

Version 8.32: 20-Mar-2012 Not generally released

Added initial support for Ajax forms.

Version 8.31: 16-Mar-2012 Incorrect copy released - do not use

This version was released but then withdrawn shortly after. We discovered that an incorrect copy of the version was released, which had a fault in processing templates.

Implements HTMLFile for autorespond.

Implements two new include files - and You can put files with these names in your include path (or same folder as FormMail) and they'll be included in FormMail's processing. The former one, before FormMail's configuration section, and the latter one after it.

Improves upload file checking logic when using the "file_names" feature.

Improves logic for opening secure (SSL) URLs in PHP version 5.3.2 and later, by supporting Server Name Identification (SNI) protocol.

Version 8.30: 2-Oct-2011

Implements new "subs" feature in field template substitutions.

TEXT_SUBS default value has been changed to prevent HTML attacks with this new feature.

Version 8.29: 12-July-2011

Fixes a bug (introduced in version 8.27) that caused email templates utilizing UTF-8, and possibly other non-English language character sets, to not display the correct characters.

Version 8.28: 23-May-2011

This version is identical to 8.27, except that it also works on PHP 4.

Version 8.27 included code that would only work on PHP 5.

Version 8.27: 20-May-2011

New configuration setting $ALLOW_GET_METHOD to allow forms to submit to FormMail using the GET method. The default is to disable GET method. Previously, FormMail supported the GET method without additional configuration, but this caused certain security scan software to claim a security vulnerability.

If your forms currently use the GET method, then you'll need to set $ALLOW_GET_METHOD to "true" if you upgrade to this or a later version.

Fixes a limitation introduced in version 8.23. From that version, for security reasons, template_list_sep could no longer contain HTML codes. The new feature $TEXT_SUBS (see below) overcomes this limitation without compromising security.

New configuration setting $TEXT_SUBS. This allows you to specify patterns that get subsituted for other text, including HTML code. These substitutions currently only work on list separators within template expansions.

Adds new template substitution feature "sep", allowing you to specify a different list separator for a particular variable expansion.

Improved filter processing to use a separate temporary file for error output.

Version 8.26: not generally released

Added new "mail_options" feature called "AlwaysEmailFiles". If you use $FILE_REPOSITORY to store uploaded files on your server, using AlwaysEmailFiles tells FormMail to email the files as attachments in addition to storing the files in the repository.

Version 8.25: 30-Sep-2010

Removed some code duplication.

FormMail now handles redirects from the web server when opening template files by URL.

In particular, this allows FormMail to work with WordPress sites.

The redirect handling has also been implemented in FMBadHandler version 1.22.

FormMail and FMBadHandler now support an alternative tag format for error templates, e.g. [fmerror /]. This allows you to create error templates in CMS systems (such as WordPress) that strip non-HTML tags that use <...>.

Version 8.24: 12-May-2010

This version became the default release on 6-Sep-2010.

  1. Fixed bug in SaveAllFilesToRepository and DeleteFileFromRepository. In most situations, the bug was largely harmless as it simply failed to detect a missing $FILE_REPOSITORY value.
  2. Implemented a new feature to allow uploaded files to be filtered. If you specify a filter, and specify file field names in the "filter_files" list, those file uploads will be filtered before being stored in the repository or attached to the email.
    The main use for this is to encrypt uploaded files, but any filter can be used.
  3. "About FormMail" now provides a hyperlink with the word "FormMail" and some other wording changes.

Version 8.23: 18-Mar-2010

Fixed incorrect documentation URL.

Fixed bug in handling redirects to URLs with an anchor (#anchor).

Reverse Captcha fields are now excluded from the normal submitted fields.

Fixed bug in handling list arrays (i.e. multiple-selection selects and checkboxes). FormMail didn't handle indexed field names:


Also it didn't correctly check for an empty array. It no longer provides "<invalid list>" as a value, as this situation is handled on a per-element basis.

Special case email formatting (when there is just a single field plus special fields) was not including the CharSet in the email header. This is now fixed.

Improved code so that referencing an array field value (e.g. multiple selection box) returns a semicolon-separated list of the values. This is useful in derive_fields and conditions.

Added new format specifications for CSV fields. This feature is now available for "csvcolumns" and "filter_fields" (when using the built-in CSV filter).

The WriteCSVFile function now uses the CSVFormat class thereby reducing the code duplication.

Fixed PHP error due to missing MSG_SPARE message.

Fixed a long standing bug (recently reported) where the title on the default "thank you" page was "Form Submission Error". This has been changed to "Form Submission Succeeded". These titles are now part of the language messages and can therefore be translated.

Fixed a long standing bug. The "About FormMail" message shown on default pages did not include the name of the product. This bug has been there since about version 3.00.

Titles on debug pages have been added.

The MSG_USER_ATTACK_REV_CAP message has been expanded to be more helpful.

Version 8.22: 16-Feb-2010

Alerts from reCaptcha processing now include the error details reported by reCaptcha.

Fixes for problems with Swedish characters in UTF-8:

  • Added a workaround for an apparent bug in PHP's preg_replace function (the [:cntrl:] character class was incorrectly matching parts of UTF-8 character sequences sometimes).
  • New implementation of Quoted Printable processing.

Refactored all code using string indexes from the deprecated $var{$index} to the current $var[$index].

Fixes a bug in fmerroritemlist processing. An incorrect <br> tags was being included.

Default pages from FormMail (i.e. CreatePage function) now produce XHTML output.

Version 8.21: 4-Jan-2010

Version 8.21 fixes a problem with 8.20 where some old code from 8.12 was re-introduced. This old code meant you must use TemplateMissing to deal with empty fields when using templates.

This means...

FormMail 8.21 does not generate an error when a template is processed and fields are missing. In version 8.20, TemplateMissing was necessary if a field was not supplied (submitted on the form) during template processing. FormMail now substitutes an empty value for a missing field. You can use TemplateMissing to provide a different value.

Version 8.20: 18-Dec-2009

Upgrade to this version (or later) of FormMail if you use PHP version 5 or later. As usual, this version of FormMail also works with PHP 4.

Re-implemented network processing code. This resolves some slowness problems in some versions of PHP when using $TEMPLATEURL and $MULTIFORMURL. It also allows FormMail to access URLs when a domain name resolves to multiple IP addresses (FormMail can now try each IP address).

This new network code also removes the use of "fopen" from common URL processing.

Implemented handy FMDebug function.

New template features "lines" and "chars".

If you're using Advanced Templates and you have a template that you don't want to use Advanced Template features, you can now put the string "FormMail-Basic-Template" in your template (e.g. inside a comment) and FormMail will skip the Advanced Template processing.

Re-implemented some code to work with PHP 5.2.6 and later. If you use our verifyimg.php, you must also upgrade that to work with PHP 5.2.6 or later.

Implemented reCaptcha support.

Re-factored code for processing Auto Responses to work with reCaptcha. The logic sequence is different now, so if you currently use FormMail autoresponding, please make sure you test thoroughly before and after you upgrade FormMail. If you have problems after upgrading, restore to your working version and contact us for assistance.

Implemented new PlainFile feature for autoresponding. This allows you to autorespond with a fixed file and without the need for full CAPTCHA (which is still mandatory if you use a template). For PlainFile, you only need to implement Reverse CAPTCHA.

Previously, form results would be sent regardless autoresponse processing. FormMail now confirms that autoresponse processing will be successful before sending form results. This means that the user must have passed the CAPTCHA or Reverse CAPTCHA tests for a specified autoresponse. FormMail has no way of determining whether sending an email as an autorepsonse will work, so this cannot be tested.

Improved bad_url (FMBadHandler) logic in multi-page forms so that the correct User Agent is used.

INI file errors and potential errors now generate errors or alerts.

Fixed some minor coding errors (e.g. argument missing to GetDerivedValue).

Improved to put this_form and bad_template in the session (this fixes problems on some servers). Requires FMBadHandler version 1.20 or later.

Version 8.16: 21-July-2009

Implemented support for international characters in email header lines. Currently, only From and Subject lines are supported (all header lines may be supported in a future version, but this requires a large amount of code to be added to FormMail).

Alerts now include HTTP_USER_AGENT information.

Junk detection now includes "realname" and "subject" fields in the detection.

Added new configuration setting ATTACK_DETECTION_JUNK_IGNORE_FIELDS. This allows you to specify fields to be ignored during junk detection.

Fixes a minor bug with env_report. Previously, attaching a file would cause the report to be missing. env_report now operates correctly with all plain text emails. HTML emails don't show the env_report and you need to use the derive_fields feature to access and display this information. The documentation has been updated to mention this.

Version 8.15: 19-May-2009

Fixed bug with env_report: the env_report was being generated even if you didn't specify this in your form. In this case, it would produce an empty report except for a line of ================.

Fixed minor bug with substituting special fields in templates. In this case, empty special fields would never be replaced with your TemplateMissing value; they would always be replaced with an empty value.

Added support for new FromLineStyle feature in mail_options.

More effort to make the email "From line" safe/valid. No security issues here, just more effort to prevent invalid syntax in the email headers. This is related to the new FromLineStyle feature.

Simplified some code.

Updated comments at top of file.

Version 8.14: 6-Apr-2009

Added new ATTACK_DETECTION_JUNK feature for detecting junk spam.

Email address fields (e.g. recipients) can now be supplied as arrays.

Alert messages now un-convert HTML entities such as &quot;, for readability. This only works on PHP 4.3.0 and later (i.e. almost all PHP installations).

Attack detection now provides more feedback to the user on the default page. Some attacks are clearly the work of bots, and no additional feedback is provided in those cases.

Version 8.13: 20-Mar-2009

Fixes a bug when used with PHP 5 and PEAR: PEAR errors would not be detected in some cases. Only affects error reporting for customers who use PEAR for sending email with PHP 5.

Fixes a bug when returning to a form. If the user entered $ or \ characters in a field value, they could be misinterpreted and the value not re-entered properly. For example, "$1234" would be re-entered as "34". Similarly, "\3456" would be re-entered as "56".

This type of data entry by users is quite unusual, which is probably why this bug has not been reported until now.

This bug was triggered by PHP's preg_replace function and may not have been present in some earlier versions of PHP.

The bug occurs in returning to a form in a multi-page form sequence or after an error (via FMBadHandler).

Therefore, if you use FMBadHandler, you should update it too (to version 1.18).

Improved the new SESSION_ACCESS feature so that multi-page forms can use previously saved SESSION_ACCESS values.

Replaced the original logic that substituted all double-quotes with single-quotes in all fields submitted. This original logic was designed to prevent some hacks on forms and in email headers. The form processing code is proven safe without this logic, and we've now updated the email header processing to ensure double quotes are properly escaped ('quoted') according to the internet email standard RFC 2822.

FormMail no longer generates an error when a template is processed and fields are missing. Previously, TemplateMissing was necessary if a field was not supplied (submitted on the form) during template processing. FormMail now substitutes an empty value for a missing field. You can use TemplateMissing to provide a different value.

Image verification for autoresponse with verifyimg.php is now case-insensitive.

New feature added to complex file upload processing in multi-page forms. You can now distinguish between a file previously uploaded and stored in the repository and a file newly uploaded by a fresh submission of the form. As an example, if the file upload field is called "uploadedfile", then "$uploadedfile" refers to the file just uploaded (if any) and "$repository_uploadedfile" refers to the file previously uploaded and stored in the repository. The How-To guide documents this new feature.

NOTE: if you currently use multi-page forms AND file uploads AND a file repository with a version of FormMail prior to 8.13 you will need to carefully test your forms and may need to change your forms to work with this new version (or any future version).

Version 8.12: 11-Feb-2009

This version fixes a bug in complex file upload processing with multipage forms.

This bug affects very few customers.

Previously, deriving a value from a file field (i.e. an uploaded file name) would not get the correct value if a new file (replacement file) was uploaded when going backwards and forwards in a multipage form sequence.

Computation Module messages sent as a FormMail Alert now have their HTML tags stripped. This makes them easier to read.

Version 8.11: 2-Dec-2008

Important bug-fix and improvement release.

Upgrade to this version AS SOON AS POSSIBLE.

This update fixes Cross-Site Scripting (XSS) Vulnerabilities.

If you use FMBadHandler, you should upgrade to version 1.17 (or later) too. The new version is available here.

Other improvements...

Improves processing of multi-page forms.

Added new function (FMDeleteFileFromRepository) for use with the Computation Module (for deleting files from the repository).

Files uploaded to the repository are now persistent through all of a multi-page form process.

Fixed a problem with multi-page forms: if the user left your site and then returned to the first page of your multi-page form, some of their old data may be used in the processing.

Adds new configuration settings SESSION_ACCESS and DESTROY_SESSION. If DESTROY_SESSION is set to false, FormMail now simply unsets the session variables it creates. This allows it to work better with websites that use PHP sessions.

SESSION_ACCESS: FormMail can now access and update specific variables in the PHP session. This is useful for interacting with a website's session and for handling file uploads and next-numbers with multi-page forms.

Added new FMNextNum function available for computations.

Improved structure of the final lines of code to better reflect the actual logic. Added a comment about this.

Due to some confusion when errors are displayed, FormMail's default error page no longer includes a link to our website.

Hook system files can now be named as .inc.php (which is more secure). .inc is now deprecated. The language file can now be named .inc.php.

Improved testlang to skip some PHP messages.

Version 8.10: 14-Nov-2008

Important bug-fix and improvement release.

Major bug fix: McAfee Scans were able to bypass the imgverify (CAPTCHA) check. This problem has now been resolved. Note: the only effect of this bug was that you might receive form spam even if you had CAPTCHA installed. Your server is secure. The bug did *not* affect arverify (auto-responding).

Fixed some minor bugs.

Improved some code consistency.

Content type (charset) is now set from a loaded language file (if used). The charset is now included in a Content-Type header line in alert messages. This should make alert messages more readable for some languages.

Updated copyright and quick start information.

Image checking for verifyimg was case-sensitive, now it is case-insensitive.

Improved MSG_ATTACK_PAGE to make the actual website more clear. Improved some other messages to the user to make the actual website more clear. Some users would contact instead of the website owner in the case of problems.

Email header lines have been re-ordered as recommended (not required) by RFC822. This should help some broken email systems to work with CC: lines (such as Yahoo).

Fixed a problem with redirecting to good_url when $TEMPLATEURL is used and JavaScript is switched off in the user's browser.

In some cases, multiple copies of the PHP session ID could be added to URLs. This problem should now be resolved.

Refactored email checking code ($TARGET_EMAIL etc.) into a class.

Major new features...

Added configuration setting $REQUIRE_CAPTCHA - an easier way to enforce CAPTCHA processing for your forms.

Added inbuilt support for Reverse Captcha (CAPTCHA protection without images).

Now supports "replyto" special field to set Reply-To header lines. However, we can't find many email clients that actually use Reply-To header lines. Microsoft Outlook does, though.

Email addresses stored in an INI file no longer have to be additionally permitted using $TARGET_EMAIL. Addresses that are automatically permitted are from the [email_addresses] section and from "recipients", "cc", and "bcc" special fields.

Version 8.05: 07-Apr-2008

Added new configuration setting FIXED_SENDER. This can be used in conjunction with SENDMAIL_F_OPTION to set the sender for form results without affecting the "From" address.

Version 8.04: 26-Mar-2008

Fixed a bug in sending alert messages when a filter was in use. In some situations the actual error message was not included in the alert.

Added new built-in filter for generating CSV output. This is useful if you want to attach a CSV file to your email and use a PlainTemplate for the body of the email.

Improved the alert sending so that if the filter is not an encrypting filter (such as the new CSV filter), then the content is not filtered. This means that only encrypting filters will now encrypt the alert message content.

Updated FILTER_ATTRIBS configuration for the standard encoding (FormMailEncoder) filters. The MIME type is now "application/vnd.fmencoded" which works better on Linux systems with FormMailDecoder running in Wine.

Version 8.03: 15-Aug-2007

Added new PHP file upload error messages.

Fixed a problem with the $ATTACK_DETECTION_URL_PATTERNS configuration setting. It was erroneously detecting email addresses as being URLs if the domain name in the URL contained a hyphen.

Improvements to session handling in complex environments.

Improved error message in CRM communications.

Version 8.02: 5-Jul-2007

(Version 8.01 was not generally released.)

Version 8.02 fixes a bug in the URL Attack Detection. Certain "<a href=" formatting was not being detected. Note that the only affect of this bug is that it would allow certain spam attacks through to the form recipients. Your server could not be compromised by this issue.

Fixed an old and very minor bug that probably nobody ever noticed. The DupHeader feature specified in mail_options failed to put the "From: " prefix before the from line and didn't properly terminate it with a line feed (BODY_LF). The To and CC lines were fine. From line is now correct.

Adds support for sHTMLCharSet setting in language packs. This allows language packs (such as Polish) to specify the Character Set or Code Page required for displaying the messages.

Added new ATTACK_DETECTION_URL_PATTERNS configuration setting. This setting allows you to configure additional patterns that will be recognized as URLs.

Some email clients convert anything that looks like a URL to a clickable link. In reality, a URL must begin with http:// or similar or be part of an HTML anchor tag: <a href="...">, but some email clients are much more liberal with their interpretation of your email! This type of "feature" in these email clients plays into the hands of spammers!

The ATTACK_DETECTION_URL_PATTERNS patterns are designed to detect most spammer links that might be targeting these particular email clients.

Some Top Level Domains are not included in the patterns because they are very unlikely to be used by spammers. For example, spammers are not likely to send URLs of .gov domains. Also, these patterns exclude email addresses - email addresses are not spammer links.

Added support for a commercial CAPTCHA (Image Verification) product called Captcha Creator (

Version 8.00: 24-Apr-2007

This upgrade moves the configuration documentation from the formmail.php file to our main website.

It also moves the complete version history to this page.

Other changes:

  • The configuration section has been moved closer to the top of the file.
  • The ATTACK_DETECTION_MIME feature now checks the "subject" field as well because we've had reports of MIME injections targeting that field. Note: all versions of Tectite FormMail are invulnerable to this attack, but it can result in you receiving annoying alert messages.
  • The ATTACK_DETECTION_SPECIALS feature now has an additional configuration setting called "ATTACK_DETECTION_SPECIALS_LIST". This lists the fields that will be used in this attack detection, allowing easy re-configuration. We've also added the "subject" field to the list, so if you expect your subject field to include email addresses, you'll need to remove that field from the list.
  • Reworded some of the initial comments at the top the file.
  • Fixed some typographical errors in comments.

Version 7

Version 7.15: 6-Mar-2007

Added another case where a filtered alert message will show the email and realname fields.

Fixes a bug in the Filter processing whereby php_errormsg may not be shown when the filter fails.

Version 7.14: 2-Mar-2007

Alert messages containing user data are filtered through the specified filter for security reasons (e.g. you don't want credit card details sent in plain text in an alert message. Up to this version all fields on the form were filter in these alerts.

However, some customers support end-users and don't have the end-user's decryption key. This means it's been hard to know whether there's a real error or just some spammer activity.

In the general case, it's also a pain to decrypt an alert message just to find it's something you could have ignored.

From version 7.14, FormMail only filters (e.g. encrypts) the fields specified in filter_fields when sending and alert message. If no filter_fields is specified, all fields are still encrypted but email and realname are shown in plain text in the alert.

Empty addresses in recipients, cc, and bcc are now silently ignored (no alert), provided there's at least one valid address.

Added new configuration ATTACK_DETECTION_URL. This allows you to redirect the browser to a page or your own design if an attack is detected. The default is a simple page generated from FormMail.

Added new configuration ATTACK_DETECTION_IGNORE_ERRORS. This allows you to configure FormMail to ignore certain errors that spammers may try to use to send you spam via alert messages.

Added new configuration ATTACK_DETECTION_MANY_URL_FIELDS. This allows you to configure FormMail to detect yet another type of spam attack. Again, FormMail is invulnerable to this attack and your server has always been safe, but this configuration allows you to prevent annoying alert messages being sent to you when it is detected.

Improved the default attack detection page generated from FormMail to include a link to a page on our site that explains the message in detail.

Added new FromAddr feature for autoresponding. You can now set the Sender and From address for emails sent in an autoresponse:

<input type="hidden" name="autorespond" value="...,FromAddr=address,..." />

The address can use AT_MANGLE and it can be an INI file email_address.

Fixed some typos in the version history below.

Fixed a rare bug in multi-page form sequences. Here's the case where the bug would appear:

  1. you have more than one multi-page form on your website
  2. users can start one form multi-page form and then jump to another one (e.g. by clicking a link on your site's navigation)
  3. the user gets to the 2nd or later page of one multi-page form and then jumps to the start of the second multi-page form
  4. the values they had from the first multi-page form "infect" the processing of the second multi-page form. If the two multi-page forms use the same field names, this can cause problems.

As I said, it's pretty rare.

Version 7.13: 5-Jan-2007

Added new ATTACK_DETECTION_MANY_URLS feature (default disabled) which detects a recent spam attack technique for forms.

Version 7.12: 5-Oct-2006

A minor bug fix and several minor improvements.

Added support for new Advanced Templates (requires the FormMail Computation Module).

Added new FILE_OVERWRITE configuration setting.

This controls whether existing files will be overwritten during a file upload to the repository (only if using FILE_REPOSITORY)

Added NEXT_NUM_FILE configuration setting. This is a new feature that allows you to generate unique numbers (sequentially generated) for your form submissions.

Added CLEANUP_TIME and CLEANUP_CHANCE configuration settings.

Currently, these are only used with file uploads. They specify how to cleanup the scratchpad directory from old file uploads.

Added new derive_fields functions:


returns the extension of a file


returns the field value converted to upper case


returns the field value converted to lower case


returns the field value with blanks trimmed from the left


returns the field value with blanks trimmed from the right


returns the field value with blanks trimmed from the left and the right


returns the field value with blanks and leading zeroes trimmed from the left


returns a unique number

Template field substitutions can now include options. The only option currently provided is "nobr":


nobr prevents new lines in the field from being replaced with HTML <br /> tags. This is particularly useful for textarea fields.

Improvements to the file uploading feature so that files can be uploaded by early pages in a multi-page form sequence. Previously, only the last page could successfully upload files.

Version 7.11: 25-Sep-2006

Fixed typographical error in defining the FILE_MODE constant. This typo appears to be harmless as PHP handled it automatically.

Added new configuration option, SET_SENDER_FROM_EMAIL, to support yet another server requirement for sending email.

Added extensive description of the email logic since different and conflicting server requirements are making it very difficult to understand.

Fixed bug in handling multiple email addresses in the INI file (specifically, a list of email addresses for a word in the [email_addresses] section of the INI file).

Version 7.10: 07-July-2006

Fixes a vulnerability involving file uploads to the server. To be vulnerable, you would need all of these statements to be true:

  1. You are using version 7.06 thru 7.09 of FormMail.
  2. You have set FILEUPLOADS to true in FormMail's configuration.
  3. You have set $FILE_REPOSITORY in FormMail's configuration.

If any of these statements is false, then you are not vulnerable.

The exploit for the vulnerability (which we won't publish at this time) is complex and specific to each server. In most cases it will not succeed because the web server software cannot write to arbitrary files on the server.

We detected this problem though our QA procedures, and we have received no reports of any exploits.

Mitigating this vulnerability is the fact that the documentation for file uploading to the server was only published in mid-June 2006. Also, while there are a large number of users of the vulnerable versions, very few enable file uploads to the server.

Version 7.09: 30-May-2006

Fixes a bug in using FromAddr (mail_options) with AT_MANGLE on some servers (those that require SENDMAIL_F_OPTION and/or INI_SET_FROM). Prior to this version, the FromAddr was not un-mangled before setting it for the server.

Version 7.08: 28-Feb-2006

Alerts now show the IP address of the user. Fixed minor issue in last version with showing the 'this_form' in alerts.

Fixed some code formatting that had gone wonky.

Implemented a new special field called "file_names". This is similar in syntax to "derive_fields" and allows you to provide different names for uploaded files.

Empty derivations are now ignored - previously an alert was generated.

Version 7.07: 18-Feb-2006

Fixes a minor problem with using a file field name in good_template when the file has been stored on the server.

Alert messages now show the referring page or the 'this_form' field so you can identify which form generated the alert.

Implemented a Hook System. This allows you to include a PHP file within FormMail at various points.

Implemented an "if" function for use when deriving fields.

Version 7.06: 14-Feb-2006

Added support for a form INI file. This allows you to set special fields and provide secret email addresses outside of the HTML form.

Fixed a problem with processing conditions in the specified order. This problem would occur if you specified conditions7, conditions2, conditions1 in that order. Now they will be processed in the order specified by their numeric ID.

Added support for uploading the files to the server instead of attaching them.

Added support for imgverify special field. You can now prevent form submission unless this matches the CAPTCHA string from verifyimg.php.

A missing image verification string in the session is now reported as a system error (for imgverify or arverify). It indicates a failure in the PHP session processing.

Added more features for handling file uploads. A file field can now:

  • be tested in "conditions" and "required". For "required", the value of the file field is the name of the file uploaded from the user's computer. Similarly for "conditions" on string testing. For "conditions" performing numeric comparisons, the file field expands to the size of the uploaded file in bytes.
  • be used to derive other fields. The name of the file is expanded in the derivation.
  • be used in templates. The name of the file is expanded in the derivation.
  • the size of a file can now be used to derive a field:
    fieldname = %size(filefield)%

Improved IsFieldEmpty function to handle array values. This is really for future accuracy, as it shouldn't affect any current processing.

Version 7.05: 27-Oct-2005

Added support for HTTP authentication when using FMBadHandler. FormMail now sends the name and password to FMBadHandler so that it can return to the form.

Added support for HTTP authentication when using multi-page forms. This is only needed when returning to the first page, as all other pages are templates.

Version 7.04: 26-Sep-2005

Removed parentheses which previously surrounded message numbers. Added new optional "mnums=no" parameter when using "testlang=1"

Fixed bug in matching "selected" and "checked" attributes when processing multi-page forms. This bug only occurred under rare circumstances. An example is:

<option value="Unselected">

In this case, previous versions of FormMail would incorrectly match "selected" in the string "Unselected". Similarly for "checked". (This bug was also fixed in version 1.10 of FMBadHandler).

Version 7.03: 24-Sep-2005

Previously, when using multi-page forms on an SSL (HTTPS) connection, the return link for error handling was formatted like: http://yourdomain:443/.../formmail.php

This is technically valid, but was a nuisance, especially when trying to compare this with your $TARGET_URLS settings. Version 7.03 improves this so that the return link is more conventional when using an SSL connection: https://yourdomain/.../formmail.php

Added Attack Detection. FormMail has always been invulnerable to the attacks it now detects, so Attack Detection is merely to prevent annoying alert messages being sent to you when FormMail is attacked without you having to switch off all alert messages.

Added new configuration setting $bShowMesgNumbers which allows you to control whether message numbers are shown with messages. The default is now "off" - as requested by numerous customers.

Version 7.02: 18-Sep-2005

Fixed bug in Multi-page forms. Some internal values were not being set with the right form field values. This meant that CSV files, for example, didn't store any data from previous pages in the sequence.

Fixed bug in Multi-page forms whereby later field values were overwritten by earlier ones. For example:

    Page 1: set field "abc" to 50
    Page 2: set field "abc" to 60
    Page 3: sees field "abc" as value 50

Added support for "Forward Remembrance" with Multi-page forms. This means that if a user enters a value on page N, then goes back to previous pages and then moves forward back to page N, they value they entered is restored to the page. This feature requires the use of "multi_keep" to tell FormMail which fields are to be remember this way. The sample package called "" (downloadable from our website) demonstrates this feature.

Version 7.01: 20-May-2005

Added new configuration setting CHECK_DAYS. The default is 30, so now version checks only happen every 30 days instead of every 3 days.

Mods for old versions of PHP:

  • "include" is now prefixed with the @ error control operator
  • all "fgets" calls now have the length parameter

For Safe Mode operation, chdir for filters now only happens if the directory is not the current directory. This means you can put the filter command in the same directory as formmail.php and there's a better chance it will work if PHP is in Safe Mode.

Version 7.00: 18-Apr-2005

Fixed some typographical errors in comments. Improved some configuration section documentation. Added new configuration settings:


name of the PHP session to use


name of the fmcompute.php file


name of the fmgeoip.php file

Added processing of <fmusererror></fmusererror> tags in error templates (these were only processed by FMBadHandler until now).

Added support for new <fmsyserror></fmsyserror> tags in error templates.

Added multi-page form support, which adds these new configuration settings:


Improved use of $SET_REAL_DOCUMENT_ROOT so $REAL_DOCUMENT_ROOT is set from it before it is used in the default "encode" setting.

Versions 6 through 1

The remaining version history isn't nicely formatted and is only recorded here for completeness.