Attackers use newline characters ( \r\n or %0A%0D ) to "break out" of the intended field and insert their own SMTP headers.
file if they are not strictly required for your application. regex pattern php email form validation - v3.1 exploit
Alex’s mistake wasn’t a lack of effort; it was trusting a that didn't account for how the program in the chain would interpret the data. Key Takeaways for Developers: Never trust "Validated" data Attackers use newline characters ( \r\n or %0A%0D