I'm implementing a contact form in php using the mail() function. In the contact form, I ask for the user's email address, and upon submission I send their message to my own email address.

Here is my php code:

    $to = 'myemail@gmail.com';
    $from_name = $_POST['InputName'];
    $from_email = $_POST['InputEmail'];
    $subject = 'Message from '.$from_name;
    $message = $_POST['InputMessage'];
    $headers = 'From: '.$from_email."\r\n".'Reply-To: '.$from_email.
        "\r\n".'X-Mailer: PHP/'.phpversion();
    $mailsuccess = mail($to,$subject,$message,$headers);

After testing this, I realize a person can send me an email masquerading as someone else's valid email address. For example, during testing, I used my friend's email and sent myself a message. Isn't this a security problem? In my gmail account, I did get a warning that this email may not be from that person, but if it's not clearly spam I usually ignore that warning.

For example, if Bob (bob@gmail.com) sends a message through the contact form masquerading as Chris (chris@gmail.com), I will respond in my email to Chris. Chris thinks his email is hacked because he never sent that email. Is this generally an issue? Or is there a way to make it safer?

It's called email spoofing. SMTP is not a very secure protocol. It's always been possible to spoof. Unfortunately there is no way around it unless every email server on earth makes changes to fix that, which is unlikely.

It's how a lot of phishing and spam happens.