It may possible that he is trying to hack. I am sure you are storing form data after escaping/sanitizing the content which eliminate the risk of Sql injection
and since user can submit empty form it mean you haven done the server side validation. what you need to check is
- First check that weather field is set or not
- name can only contain latter for example [a-zA-Z] (for english)
- phone number can only contain digit [0-9]
- validate email formate (you can also use
FILTER_VALIDATE_EMAIL) - use captcha code (Google’s recaptcha is quite good)
Good Read
- Validating Sanitizing and Escaping User Data
- Data Validation
- Chris Shiflett : security articles (heighly recomended reading)