Assuming this code:
$email = $_POST['email'];
$headers = array(
'From' => 'webmaster@example.com', //I would like this to be $email variable from form
'Reply-To' => 'webmaster@example.com',
'X-Mailer' => 'PHP/' . phpversion(),
'MIME-Version' => '1.0',
'Content-Type' => 'text/html; charset=iso-8859-1'
);
mailto('recipient@example.com', 'regarding header injection', 'you should make extra sure to validate inputs', $headers)) {
die('sent');
You could construct a form to inject email headers like so:
<form method="post" action="/path/to/php/script">
<textarea name="email">nogdog@example.com
Bcc: foo@example.com,bar@example.com,fubar@example.com
</textarea>
<button>submit</button>
</form>