One thing I remember from doing something like this years ago is needing to protect the form against people using it to send malicious code to your website. But it was a long time ago and I can’t remember the details. Something to do with escape characters. Others will know much more about this than me.
Pingu has linked to the XKCD of the problem.
Anywhere that the user can run a database query can be vulnerable. This website is made from a database, and it says so at the bottom:-
Page created in 0.081 seconds with 18 queries.
The queries depend on what the user types in, and what is in the address bar. All of that should be sanitised so that arbitrary queries put into web addresses or forms can't end up in the query that is sent to the database.
For instance, the web address for this page ends
;last_msg=2766055
. If I were writing the code to process the value of "last_msg" I would make sure that it can only be a number, in a specific range, so a malicious value like
;last_msg=/drop table "users"
won't result in the query
drop table "users"
being run, it will just result in an incorrect value for last_msg.
I don't think that it's so much of a problem with forms that send emails only. The risk there is that a cleverly crafted message or "from" field could result in multiple spam messages being sent to recipients other than yourself, but looking like they come from your website. It could be a good idea to remove "<" and ">" etc from the email addresses and "@" from the message itself.