R
Agreed. This is entirely standard for a Contact Us form. I wouldn't even suggest that this is evidence of a poor PHP coder. Indeed, PHP doesn't do a lot of hand holding, especially when it comes to security. But then again, neither does C. mail() is certainly no more intelligent than gets(). Should we then say that there are a lot of bad C programmers, or that C is a bad language? As in most languages, it's up to the programmer to cover their ass; unfortunately, that usually requires knowing what's coming at you.The only issue here is that the programmer doesn't know about injection attacks and how to prevent them. Then again, neither did I until I stumbled across news articles about SQL injection and cross-site scripting. Looks like there are a lot of people out there who didn't know about this.The life lesson--never trust user input--is one that I haven't seen generally taught in universities or technical schools. It's one of those things passed down from the elders, or learned the hard way when it bites you in the ass.Please kindly inform the author of this code of his mistake. Also, please consider how much of a WTF something like this may be to others. Just because something is obvious to you (because you've been informed of it) doesn't mean it is obvious to others (especially those who were never told about it).