Whoa! First off, please try not to use w3schools.com for any examples, they are notorious for using insecure examples.
For example the following problems exist with the code chunk above.
- It assumes register globals is enabled, register globals should NEVER be enabled, it is such a security risk the PHP developers eventually removed the feature all together.
- It performs no validation, minor as it may be, this is necessary when wanting to prevent XSS and CSRF attacks
An updated example:
<form action="registration.php" method="post">
<input type='text' name='fname' />
$fname = filter_var($_POST['fname'], FILTER_SANITIZE_STRING);
mail("firstname.lastname@example.org","The Registration" ,"Submitted by $fname") ;
You can read more about filter_var on the PHP manual and the type of filters as well.