I created a script that takes info in the url (script.php?id=123), compares that number (123) to a database and gets more information about that person (name, etc.). The number also corresponds to their email address (123@domain.com).
The information is passed to an email script which is a contact form. The contact form only sends the email to 123@domain.com and cannot be changed by the user. The user can enter their name, email, a subject, and the message. The name and subject are converted into email headers and sent to 123@domain.com (from: the user submiited info).
My question is that although the user cannot change the to: address, can they still input code into the name, email, and subject fields to inject additional to: addresses?
If so, any suggestions on exsting code that could elimiate this threat?
Thanks!