PHP: Escaping email display name

I recently had the need to take a name from a form submission and use it as the display name of the “From” address of an email sent through PHP’s mail() function. For an address like Toby Example <>, the display name is the Toby Example part. Coming from a form, this could contain invalid or even malicious characters, so I wanted to remove these characters or encode them safely. It was easy to find info on handling the actual email address, but a little harder to find info on the full address format. I eventually found this StackOverflow answer to figure out what I needed.

In our solution, we make use of PHP’s mb_encode_mimeheader() function with the “Quoted-Printable” (Q) format to encode any strings that need it. We wrap it in double quotes to deal with most ASCII control characters and escape any internal double quotes with \.

Our solution might look like:

$userDisplayName = 
    . str_replace('"', '\"', mb_encode_mimeheader($_POST['name'], 'UTF-8', 'Q')) 
    . '"'
$userEmail = mb_encode_mimeheader($_POST['email'], 'UTF-8', 'Q');
$headers = 
    "From: {$userDisplayName} <" . getAdminEmail() . ">\r\n"
    . "Reply-To: {$userDisplayName} <{$userEmail}>"
    ,'Testing message'

Our basic goal was to make it simpler to see who submitted the form in an email client. We use the admin email address for the From because we need to be sure that we can send from the address (SPF, etc), but the user’s display name so the client will show us who submitted it. We put the user’s full address in the Reply-To so it is easy to respond to the user.