Hey, honestly I don't think I'd be much help with the security, but I noticed the bit about preventing a blank email from being sent which I think I can help with. I'm assuming you have a js function for validateform() returning true. What I've done with something I've made like this before is have js check the form to make sure it's good, but also use php to make sure none of the fields are left blank. Very simplified compared to what you have, of course, but something like:
$first_name = $_POST['first_name'];
$last_name = $_POST['last_name'];
$email = $_POST['email'];
if(isset($first_name) && isset($last_name) && isset($email))
{
mail($your, $headers, $and, $other_info);
}
That way it'll only send if all the variables are set. They could always enter irrelevant gibberish, but at least it wouldn't be a blank email. I hope that helps at least somewhat.