As long as you restrict the character set to UTF-8 and replace < with < > with > and & with & you're mostly OK. It gets escaped during the POST process anyway. If you thought someone was going to try to break it, you could run a regex replace on the inputs to get rid of anything that wasn't [a-z][0-9].,:;'@#?!"£$%^&*()-=_+\| .
OFFS someone *will* try to break it. That is what people do. Everything should be taint checked, encapsulated, wrapped and generally sterilised so that data stays as data and doesn't do other things not intended by the script author.
Like '; delete from results; ' which could do interesting things to an sql database if not properly trapped.
PHP is fine if used properly. As is Perl. As is Java. Tools for the appropriate task in hand.
For the kind of thing described I have a simple form handling script that appends the results as a tab separated file. Generic and lightweight. It takes the column headers as the field names to save. This can even be in the htdocs directory so can readily be downloaded (but I don't do this). Obviously one has to be careful precisely which data one stores if it is going to be publicly available (albeit obscure).
..d