Is this mail() function safe from header injection?

Question

I\'m building a simple contact form for a website. It does not connect to a database, it just sends the email. Will this code prevent spammers from using header injections?

Answer 1

IMHO, your code is not secure, as you miss \r and \n characters. filter_var() only kills those, if FILTER_SANITIZE_STRING is used in conjunction with FILTER_FLAG_STRIP_LOW, which will also filter out any characters below ASCII 32:

$message= filter_var($_POST['Message'], 
                     FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW);

Also, FILTER_VALIDATE_MAIL will return a true or false, which you also do not account for. I recommend to check out this excellent source for filter_var(), as the main PHP manual is very short on information.

---

Update: As Alnitak pointed out, through the \n\n in the code, this actually doesn't matter.