Dating sending mails
Note that there is a big difference between the behavior of this function on Windows systems vs. On Windows it delivers directly to an SMTP server, while on a UNIX system it uses a local command to hand off to the system's own MTA. There are two extra delivery gotchas on top of that:1) The domain in the email used in the -f option in the sendmail parameter or in the mail() extra parameters field, needs to have a valid SPF record for the domain (in DNS as a "TXT" record type for sure and add an additional "SPF" type record if possible). That's header field being used for spam checks.2) You should also use a domain key or DKIM.
The upshot of all this is that on a Windows system your message and headers must use the standard line endings \r\n as prescribed by the email specs. The trick here is that the domain key/DKIM is case sensitive!
This function opens and closes an SMTP socket for each email, which is not very efficient.
Since can not allow such characters, so in programs where the use of such characters is required, alternative means of sending emails (such as using a framework or a library) is recommended.
So these parameters are safe against injection of additional headers.
But you might want to check $to for commas as these separate multiple addresses and you might not want to send to more than one recipient.
On Windows, however, you should use "\r\n" because PHP is using SMTP in this situation, and hence the normal rules of the SMTP protocol (not the normal rules of Unix piping) apply.
Security advice: Although it is not documented, for the parameters $to and $subject the mail() function changes at least \r and \n to space.This should be a last resort, as it does not comply with » RFC 2822.prevents command execution, but allows to add additional parameters.The 'sendmail' executable which PHP uses on Linux/Mac (not Windows) expects "\n" as a line separator.