What are the risks associated with Email Header Injection in PHP?
Email Header Injection in PHP occurs when user input is not properly sanitized before being used in email headers, allowing malicious users to inject additional headers or modify existing ones. This can lead to email spoofing, phishing attacks, and other security vulnerabilities. To prevent Email Header Injection, always validate and sanitize user input before using it in email headers.
// Sanitize user input before using it in email headers
$to = filter_var($_POST['to'], FILTER_SANITIZE_EMAIL);
$subject = filter_var($_POST['subject'], FILTER_SANITIZE_STRING);
$message = filter_var($_POST['message'], FILTER_SANITIZE_STRING);
// Send email using sanitized input
$headers = 'From: webmaster@example.com' . "\r\n" .
'Reply-To: webmaster@example.com' . "\r\n" .
'X-Mailer: PHP/' . phpversion();
mail($to, $subject, $message, $headers);