PHP code injection. Do we have a security risk?

We have a simple php file that captures emails. It drops these emails into a csv file (which is not executable by php). We recently had someone who managed to hack our site and this seemed like one of the entry points, but I don't see how it's possible. Here's the script:

$fh = fopen('cap.csv', 'a+');
fwrite($fh, "\r".$_GET['email']);
fclose($fh);

Pretty basic right? Is there anyway you can think of to exploit this?

Solution

Yes, but probably not what you are looking for.

The only things I could do are:

Add anything to your file, append only.
(optional/bonus) Open the file directly if you haven't secured it and steal all e-mail addresses.

It won't allow me to execute anything, or gain access to anything though. (Unless you process it and cause an leak somewhere else). But still - make this secure!

Check if a coupon is applied to cart in WooCommerce
Group 2d array data by one column and accumulate another column's values in subarrays
Reverse the order of array elements
Overwrite associative elements of one array with another associative array and reverse the array order
target [Laravel\Fortify\Contracts\RegisterViewResponse] is not instantiable
Convert a flat array of delimited values into a hierarchical array
How to reindex an associative array?
Set keys of a flat indexed array using the array's values
Convert two columns in an array of objects into an associative array
How to find the last day of the month from date?
Combine columnar values in each row of a 2d array to form dynamically keyed elements
Get environment value in controller
How can I execute PHP code from the command line?
Wordpress how to get the post thumbnail inside a figure tag
How to change the Laravel public folder location
Symfony Routing Host Regular Expression
PHP get the current month of a date
Drop Down Menu in CSS not working correctly
My code not working properly for pagination in PHP, any suggestion?
Should you use @dev or `dev-main` in composer JSON for local packages?
Send WhatsApp Notification using Pre-approved Template Message on Twilio
PHP: exec() returns status '0' (successful) when executing failing PostgreSQL scripts
Why does Xdebug show different versions of PHP for `Run Time` and `Compile Time`?
How do I add PHP files to my android APK file?
How to parse a querystring formatted string?
Parse a string resembling PHP array syntax into an associative array
Why does giving a foreach a 3-element array perform 3 iterations?
Laravel Tailwind CSS Not displaying in browser
Group values of an associative array and accumulate keys as comma-separated values
Should I use filter_var to validate email?