---
title: Sanitize Input Before Sending Emails
impact: MEDIUM
impactDescription: prevents email header injection and spam abuse
tags: email, injection, sanitization, input-validation, security, php
---

## Sanitize Input Before Sending Emails

Email header injection vulnerabilities occur when an attacker can inject newline characters (`\r` or `\n`) into email headers like `Subject`, `To`, or `From`. This allows them to add unauthorized `Bcc:` or `Cc:` recipients, effectively turning your system into a spam relay.

**Incorrect (unsanitized email input):**

```php
// VULNERABLE: Direct use of user input in mail() headers
$subject = $_POST['subject']; // Input: "Question\r\nBcc: victim@example.com"
$to = "admin@example.com";
$message = "User message...";

mail($to, $subject, $message); // Attacker successfully sent Bcc to victim!
```

**Correct (sanitized email fields):**

```php
function sanitizeEmailHeader($input) {
    // Remove carriage returns and line feeds to prevent header injection
    return str_replace(["\r", "\n", "\t"], ' ', $input);
}

$to = filter_var($_POST['email'], FILTER_VALIDATE_EMAIL);
if (!$to) {
    die("Invalid email address");
}

$subject = sanitizeEmailHeader($_POST['subject']);
$message = $_POST['message'];

// 1. Using native mail() with sanitized input
mail($to, $subject, $message);

// 2. Using Laravel Mail (Recommended)
// Laravel's Mailer and SwiftMailer/Symfony Mailer automatically sanitize headers.
// However, validation of addresses is still mandatory.
Mail::to($to)->send(new ContactRequest($subject, $message));
```

**Security Checklist:**
1. **Validate** email addresses using `FILTER_VALIDATE_EMAIL`.
2. **Sanitize** any user input used in headers (Subject, From, CC, BCC) by removing CRLF characters.
3. **Use Modern Libraries** like PHPMailer or Symfony Mailer which provide built-in protection against header injection.
4. **Rate Limit** email sending to prevent mass spamming if an account is compromised.

**Tools:** PHPStan, Psalm, SonarQube, Manual Security Review