I wonder if it is enough to scan the message body for
and replace them?

-- Long
http://MeandmyCity.com/ - Free, searchable business directory for local communities
http://edgesoft.ca/blog/read/2 - No-Cookie Session Support plugin for Rails

not just the message body. you'd have to scan the headers (to, from,
subject) for anything that should'nt be there or not in the correct
format.

see

http://www.securephpwiki.com/index.php/Email_Injection

for a list of example scenarios.

I agree. Each form field should be scanned.

-- Long

Chris Hall wrote: