I'm interning for an NGO in India (Seva Mandir, http://sevamandir.org) and trying to fix their broken "subscribe to newsletter" box. Because the staff isn't very sophisticated and our web host isn't great, I decided to send the relevant data to the publications person via mail() instead of storing it in a MySQL database.

I know that it's best to treat user input as malicious, and I've searched the SO forums for posts relevant to escaping user data for sending in a mail message. I know the data should be escaped; what should I be worried about and what's the best way to sanitize the input before emailing it?

Form flow:
1. User enters email on homepage and clicks Submit
2. User enters name, address, more information on second page (bad usability, I know, but my boss asked me to) and clicks "Submit"
3. Collect the data via $_POST and email it to the publications editor (and possibly send a confirmation to the subscriber).

I am going to sanitize the email in step 2 and the other data in step 3. I appreciate your help,
Kevin