Injecting email

programming
1

I have a script I thought I validated, but after several attempts, I have been proven wrong. The script I wrote looks like so:

$from = $_POST["emailtop"];
$remove = array('\r','
','0x0A/%0A','0x0D/%0D','%0A%0D','%0A','%0D','0x0D/','0x0D','0x0A/','0x0A');
$fixedfrom = str_replace($remove, '', $from);
$message = '';
if($from != $fixedfrom){
    // FLAGGED AND SENT TO ADMIN
    $sendTo  = "To: me@myemail.com";
    $subject  = "IP FLAGGED";
//  etc...
    $message .= "A user entered an email address with restricted characters."
} else {
    // SEND THE SCRIPT TO THE RIGHT PEOPLE
    $sendTo  = "boss@man.com";
    $subject  = "Mailing List Sign-up";
// etc...
    $message = $fixedfrom;
    echo ( "<meta http-equiv=\"refresh\" content=\"0;url=" . $thisPage . "\">" );
}
mail($sendTo, $subject, $message, $headers);

I took several basic precautions, putting max form field length, javascript val. Of course they were worked around and the user appears to be injecting spam. I’m not sure how to fix it. Thanks.