Originally the input was handled by a javascript.

This is only the serverside form.

To reinforce what has been said by Corion and marto: never, ever trust input from the client. Validation done on the client side is only to optimize the input loop by reducing the number of round trips needed to the server.

Assume that you client can (and will if you are really paranoid) put anything on the wire that they wish. I have had to fight the attitude that 'we are not dealing with smart hackers here' when doing code audits (previous life), and was constantly amazed at the lack of concern shown toward basic application security.

--MidLifeXis

I don`t need a tutorial, just a simple guideline, that was sufficient, I`ll keep in the security direction from now on and stress on serverside instead of js. Thank you all for being verbose here.

A spammer will not run Javascript but talk directly to your mail sending script. The most important checks are the checks run on the server. You should really consider using the premade formmail script instead of rolling your own. Client-side validation will break as soon as somebody has Javascript disabled (like me) or does not even use a browser to send data (like a spammer).

So what's to stop someone writing a script to submit data to this server side script, bypassing your JavaScript?

Can you give some example for malicious scripts? And how to check it or block it?

Well, I still can`t understand what`s the error for not sending mail ( ok, I got it it`s weak in security ) but I just want to know where exactly is the error for not sending it?

I purposefully only gave you a vague hint as to where the part of "not sending" in your script lies. You will have to read my post and go through your script to find it. I still recommend MIME::Lite for sending mail instead of talking to sendmail directly.

You could consider printing your output to the console to inspect what sendmail receives.