If you don't escape/encode/filter the values you get from database, then the resulting html can be anything, it can be <form action=http... .... javascript ... so submit doesn't post the data you want, to the url you want .... whos writing the page, the author/programmer or internet stranger?

Also no ReadParse no CGI->Vars they corrupt data