Injection in mail

Here the risk appears minimal. A couple of answers here point to the possibility of HTML injection into the email. For HTML emails, this is a possibility, but HTML mail messages will have the Content-type header set to text/html or as a part of a multipart message. RFC 1521 stipulates that a HTML content-type must be set explicitly, and that if no content type is specified that plain text is default:

Default RFC 822 messages are typed by this protocol as plain text in the US-ASCII character set, which can be explicitly specified as “Content-type: text/plain; charset=us-ascii”. If no Content-Type is specified, this default is assumed.

In the above code, the user-provided text is inserted after the headers; an attacker would have no opportunity to change the content type (either to HTML or to multipart, the latter allowing injection of a MIME boundary).

The end result cannot be anything but a plain text message. If a user injects HTML tags into the message, the person reading the email would see those HTML tags in the message. Email clients generally don’t opportunistically examine plaintext messages to locate and parse embedded HTML and JavaScript.

Injection elsewhere

While the use of mail is probably safe, there is a potential injection vulnerability in the remaining code:

$url = htmlspecialchars($_SERVER['HTTP_REFERER']);
echo "<center><a href='$url'>Back</a>";

By default, htmlspecialchars uses the ENT_COMPAT | ENT_HTML401 flags, which does not convert single quotes to '. The link href attribute is delimited with single quotes. So if an attacker can coerce the HTTP referrer to include a single quote, he/she can invoke a routine XSS attack. (for instance, if referrer is coerced into the equivalent of http://whatever/a' onclick='alert(), clicking the link can invoke arbitrary JavaScript. To resolve this, either place “$url” on the second line in double quotes, or call htmlspecialchars with the ENT_QUOTES flag.