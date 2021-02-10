There are actually 2 issues here - one is security and the other is spam.

The security issue is mainly that accepting ‘raw’ input to a $var means that the person completing the form could actually ‘inject’ code. This means they could enter sql or php code that nests itself in your code and then changes what happens. This is more of a risk if you are actually saving the contents of the form to a database. As another example the comments could be a js script that deletes a file or folder - or many other malicious operations. This .script would run when you opened the reply in a browser

The spam issue arrives from the fact that spammers actively search for forms and fill them in automatically, then submit them for various reasons.

the -

htmlspecialchars()

php function @igor_g suggests is a good way to make sure it cannot execute as code and you should research this as it is good advice.

Regarding spam this is more a case of putting yourself in the mindset of a spammer and identifying characteristics of a spam reply and then rejecting them or accepting them but flagging as spam.

It all depends on what you mean by security - it is quite an endeavour to create a form that is safe, secure, user friendly and relatively spam proof.