Never display user data back to the user unfiltered.

Traditional Form Handling
<form action="<?php echo $PHP_SELF?>" method="POST">
Your name: <input type=text name=name><br>
Your age: <input type=text name=age><br>
<input type=submit>
</form>
<?php
if($_SERVER['REQUEST_METHOD']=='POST') {
  echo <<<EOB
Hi $_POST[name], you are $_POST[age] years old.
EOB;
?>
Output
Your name:
Your age: