Literally looked everywhere, How can i prevent SQL injection or CSRF from happening with an email form?
The user will fill out an email form, which has various fields in it. The form will then send an email to the webmaster who will then add it to the datasets and database. I have this bit under check, however there is no security at all with it.
So to clarify, the email form constructs an email, and will send the email to the webmaster.
OK, so you're concerned, for argument's sake, that the baddie puts some JS in the form field, and you don't simply want to output that JS in the body of your email as it might then execute on the recipient's machine when they open the email?
I suspect you want to be looking @ encodeForHtml() and its ilk. That will escape anything that could be interpreted as HTML, so it will simply output as content, rather than being parsed.