You're using $_POST wrong.

This:

$sql="INSERT INTO emails (mailto, firstname, lastname)
VALUES
('$_POST[mailto]','$_POST[firstname]','$_POST[lastname]')";

Should be:

$sql="INSERT INTO emails (mailto, firstname, lastname)
VALUES
('$_POST['mailto']','$_POST['firstname']','$_POST['lastname']')";

I haven't tried this, but I think it works. I don't normally do INSERT queries like this, as I need to escape the data. Doing it all on one line of code makes for a mess.

You need to escape the data too, unless you want to allow for SQL injection attacks... (With some educated guesses a hacker could figure out what to do to end your SQL statement and add some of his own.)

$mailto = $_POST['mailto'];
$mailto = mysql_real_escape_string($mailto)

* repeat for each variable *

$sql="INSERT INTO emails (mailto, firstname, lastname)
VALUES
('$mailto', '$firstname', '$lastname')";

You hit upon one of my PHP rules: Assume the user can see your code.

Rather than mysql_real_escape_string you can use addslashes. When you use it, you'll need to use strip slashes to edit the data, though.

Here's a string.

Here\'s a string after add slashes.

Here\\\'s a string after add slashes again.

For unrelated (or barely related) questions, go ahead and start a new thread. You can also mark the thread solved if you get the right answer. This will help people later on when searching.