As DigitalXeron
pointed out, that is a
very dangerous script to have on a public computer. Anyone can send as much email as they want using your address, or at least the address provided in the script as the "From" and "BCC". And it will all be coming from the server on which it runs.
I would definitely work some sort of authentication in there to make sure that only those who should be sending email with this script are sending email with this script.
Also, a coding style question: why is the single quote being replaced with a string literal on line 11, but the same thing done with a double quote on line 15 is done with a variable that is used only once? Or for that matter why are the replacements done that way at all. You can do it this way and save a few lines of code and some memory (granted a small amount, but every bit helps):
$char1="\'";
$message = str_replace($char1, "'", $message);
$char2='\"';
$char2b='"';
$message = str_replace($char2, $char2b, $message);
becomes
$message = str_replace(array("\'", '\"'), array("'", '"'), $message);
I always strive to make my code consistent, neat and concise. At least when possible. :)
More importantly, never ever trust input, especially if you're going to be using it to trigger something like email.