making form processing script more secure

Question

what are some steps I can use to make this more secure?

<?php
foreach ($_POST as $field=>$value)
{
$formcontent .= "$field: $value\n";
}
$formcontent .= 'User-Agent: '.$_SERVER['HTTP_USER_AGENT'];


$recipient = "****.***y@***********.co.uk";
$subject = "Event feedback form";
$mailheader = "From: web.form@**********.co.uk\r\n";
$mailheader .= "Reply-To: $email\r\n";
$mailheader .= "MIME-Version: 1.0\r\n";


mail($recipient, $subject, $formcontent, $mailheader) or die("Failure!");
header("location:http://www.**********.co.uk");
?>

Answer 1

Take a look at the recommended answer here: Is this mail() function safe from header injection?. Since you aren't storing in your database or using attachments, your risks are in the possibility of new lines in the header of the mail. If you follow those instruction there, you can filter out the new lines and you are okay.

Hope that helps! Cheers

Answer 2

Use htmlspecialchars to sanitize the variables!

Answer 3

You may want to apply htmlentities to $value to prevent cross site scripting.

$formcontent .= "$field: " . htmlentites($value) . "\n";

Otherwise, its okay, as your values don't go into DB.