Lately, it happens more often that there is abuse of standard contact forms. An example:
A contact consists of the fields:
Name (1 line)
Email address (1 line)
Subject (1 line)
The "Subject" field will appear in the subject. An example of a PHP command to send mail from this form may look like this:
mail ("email@example.com", $subject, $message);
The headers of this email will then look like this:
With spam form injection the subject is introduced as follows:
subject=This is the subject \nbcc: firstname.lastname@example.org
The headers will then look like this:
Subject: This is the subject
This email is then sent not only to email@example.com but also to firstname.lastname@example.org and possibly multiple addresses entered.
We would therefore ask everyone to make sure to protect their contact form. A good plan to use this counter is to check the characters \n and \r when the field should not consist of more than one line.
$subject = str_replace ("\r\n ','', $_POST ['subject']);