// Remove malicious newlines completely $clean_name = preg_replace("/[\r\n]+/", " ", $_POST['name']); $clean_subject = preg_replace("/[\r\n]+/", " ", $_POST['subject']); Use code with caution. 2. Use Built-in PHP Filters
The server then silently sends the attacker's message to thousands of BCC addresses, completely bypassing the intended single-recipient constraint. Business and Server Impact php email form validation - v3.1 exploit
An attacker might input the following into a "Your Email" form field: $clean_subject = preg_replace("/[\r\n]+/"
: Improper Input Validation / Command Injection (CWE-77/CWE-94). php email form validation - v3.1 exploit
