Whoa! First off, please try not to use w3schools.com for any examples, they are notorious for using insecure examples.
Originally Posted by Shaydez
For example the following problems exist with the code chunk above.
- It assumes register globals is enabled, register globals should NEVER be enabled, it is such a security risk the PHP developers eventually removed the feature all together.
- It performs no validation, minor as it may be, this is necessary when wanting to prevent XSS and CSRF attacks
An updated example:
<form action="registration.php" method="post">
<input type='text' name='fname' />
You can read more about filter_var on the PHP manual and the type of filters as well.
$fname = filter_var($_POST['fname'], FILTER_SANITIZE_STRING);
mail("firstname.lastname@example.org","The Registration" ,"Submitted by $fname") ;