php Form to Email sanitizing

im using the following to send a contact us type form, iv looked into security and only found that you need to protect the From: bit of the mail function, as ive hardcoded this does that mean the script is spamproof / un-hijackable

$tenantname = $_POST['tenan']; 
$tenancyaddress = $_POST['tenancy'];
$alternativename = $_POST['alternativ'];
//and a few more
//then striptags on each variable

$to =开发者_JAVA技巧 "hardcoded@email.com";
$subject = "hardcoded subject here";
$message = "$tenantname etc rest of posted data";
$from = "noreply@email.com";
$headers = "From: $from";

mail($to,$subject,$message,$headers);

---

Unhijackable? Yes.

Spamproof? I wouldn't describe it as that, as the form can still be used to spam the target of the form.

---

There are a few considerations $headers must never be controlled by an attacker. If they can control this variable then they can inject a crlf \r\n and turn this forum into an open spam gateway. PHP-Nuke was vulnerable to this a while back.

The 2nd consideration is rate limiting. A dumb bot is going to this this forum a few thousand times. They might not even spamming, but just scanning your site for sql injection to break in. You should use reCapthca to prevent bots from submitting this forum.

---

If you're using form data to create $from (not quite sure from your code), $from could be used to add additional headers (BCC/CC), kind of like SQL injection.

Update: Now with the code a bit more readable, I realize that shouldn't be a problem for you.