Php mail header injection prevention

emailheader-injectionphp

On the php manual page for mail function, there was a user comment saying "take care to prevent header injection".

In my application, I use the mail function, and the only user input I use as a parameter to the function is the email address.

I do a preliminary check of the email address using the regex ^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$.

Will this also prevent against header injection?

Thanks,
jrh

Best Solution

Someone would want to inject something like this:

user_address@domain.com
CC: spam_address1@domain.com, spam_address2@domain.com, spam_address3@domain.com

You do not allow \r\n which is needed for defining new header info. So your application is safe.