Aside from the lack of Security, I would do the mail() before the header() at the bottom of the code snippet in the first posting. Otherwise, the email would never be sent since the header would re-direct.
It is really, really, really important that you "screen" the user input before you handle it. This form is wide open for email server high-jacking and a Spammer's Delight if they find it.
There are tons of resources out there for how to manage the POST data for emailing. Google it.
/* ************************************************************************
*
* function used to clean Mail :: from Larry Ullman at dmcinsights.com
*
* as found here: [url]http://www.dmcinsights.com/phorum/read.php?6,28810[/url]
*
* called by the following line on the mail page prior to using the mail()
*
* $_SAFE_POST = array_map('clear_user_input', $_POST);
*
* cleans each element of the $_POST array before using them in the mail() using array_map
*
*************************************************************************** */
function clear_user_input($value) {
// Check for bad values:
if (stristr($value, 'content-type')) return '';
if (stristr($value, 'bcc:')) return '';
if (stristr($value, 'to:')) return '';
if (stristr($value, 'cc:')) return '';
if (stristr($value, 'href')) return '';
// Strip quotes, if Magic Quotes are on:
if (get_magic_quotes_gpc()) $value = stripslashes($value);
// Replace any newline characters with spaces:
$value = str_replace(array( "\r", "\n", "%0a", "%0d"), ' ', $value);
// Return the value:
return trim($value);
}
?>
here is a function to start your user-input screening.