Thank you. I have heard of the escape_string command but not
Is it absolutely necessary to use both would you say ?
It's not so much that they let hackers in than they can get spammed through. It dates back
about a decade to an infamous script called formmail.pl, when html forms would post their
data to this script, unfortunately a hidden field was used to specify the receipient of the
message and people rarely configure the script to limit the addresses it could send to.
However you do it just use the form to request the information you want, then in the
receiving page hardcode the recipient email address, or save to a database and notify someone
to look at it.
If you find you start getting spam comments and it becomes a problem look at integrating
something like reCaptcha to remove automated comments.
The big important thing however is to never trust input from users, and sanitise the input
before you attempt to use it, php's mysql_real_escape_string and escapeshellcmd/arg etc.