How to properly escape Email header in php

Question

I have the following php code

<?php 
$from = $_POST['email'];
$to = "myaddr@myserver.com";
$subject = "new message";
$message = "new message from ". $_POST['email'] ." >>> " .  $_POST['message'];
$headers = "From:" . $from;
mail($to,$subject,$message, $headers);

?>

I just started php, so this is the result of copying. I suspect this of being vulnerable, because one could probably just insert a newline char in the email adress field and rewrite my whole mail header for me.

How do I properly escape this? And while you're at it - do you see any other mistakes/vulns?

Answer 1

Add email validation:

if (filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) {
    //send mail after validation
    mail($to,$subject,$message, $headers);
}

Answer 2

Well you should make sure the mail server that your script is connecting to is properly secured. If the script is connecting to a remote smtp host first, then it should ensure that the remote smtp host is secured.

Usually email servers are configured so the email submission occurs over a secure ssl encrypted channel.

Secure email servers accept smtp mail submission over ports 465 and 587. These ports are secure smtp ports and are supported by most email servers. What is the difference between ports 465 and 587?

Answer 3

Here's what I used to filter the email address and add it as a "Reply-to" header:

$filtered_email = filter_var(trim($email), FILTER_SANITIZE_EMAIL);
$headers = 'From: system@myserver.com' . "\r\n";
if ( $filtered_email ) {
    $headers .= 'Reply-To: ' . $filtered_email . "\r\n";
}

The documentation for filter_var says that it may return false if it failed so I put it in an if statement (also should deal with it being an empty string).

As I said in a comment, spam filters may prevent your email from reaching its destination if the "From:" is an address that's not the server it was sent from, so it's best to use the "Reply-To:" instead.