PHP's mail(): What are potential issues to watch out for?

Question

Given a contact form that accepts custom user input (e.g. address, subject line, message), what are some security implications and \"gotchas\" to be careful of?

At a

Answer 1

Ensure that people cannot inject linebreaks in anything but the body. Additionally make the recipient static and never pass it e.g. through a hidden form field. However, adding such a field is not a bad idea; but block the IP if it's not set to the expected value - then your client is probably a spam bot.

Answer 2

If you are using the fourth argument, the optional headers, watch for inserting of extra headers, if you are doing something like this...

mail($to, $subject, $message, 'From: $email');

If $email comes from user input and is not sanitized, a user could enter something like...

\n\rCC:spammer@spamzilla.com

You can avoid this by filtering out \n and \r, or validating $email using the filter_var($email, FILTER_VALIDATE_EMAIL) function.