Sanitizing user input that will later be e-mailed - what should I be worried about?

Question

I'm interning for an NGO in India (Seva Mandir, http://sevamandir.org) and trying to fix their broken "subscribe to newsletter" box. Because the staff isn't very sophisticated and our web host isn't great, I decided to send the relevant data to the publications person via mail() instead of storing it in a MySQL database.

I know that it's best to treat user input as malicious, and I've searched the SO forums for posts relevant to escaping user data for sending in a mail message. I know the data should be escaped; what should I be worried about and what's the best way to sanitize the input before emailing it?

Also note that the org's web host is still using PHP 4, so I can't just use filter_var for strings. I'm working with them to fix the problem, but for now I'd have to use regexes or strip_tags or some other method.

Form flow:
1. User enters email on homepage and clicks Submit
2. User enters name, address, more information on second page (bad usability, I know, but my boss asked me to) and clicks "Submit"
3. Collect the data via $_POST and email it to the publications editor (and possibly send a confirmation to the subscriber).

I am going to sanitize the email in step 2 and the other data in step 3. I appreciate your help,
Kevin

Answer 1

As far I as I know, as long as you're using plain text and insert user entered data only into email body, there is nothing to sanitize.

Answer 2

If you're using the user-entered email address to send a confirmation, ensure that they've only entered one email. A spammer can sneak line breaks, and therefore arbitrarily long Bcc: entries, into your message headers if you don't watch out.

See email injection.

Answer 3

You need to be aware of Email Header Injection attacks.

Basically if you strip \n and \r from the from the $name, $from, $to and $subject you should be fairly safe, but it's always best to take a white list approach.