Your script is not protected against SQL injection...
your inputs are not sanitized which means that your SQL query could be manipulated...
you probably want to look up "mysql_real_escape_string"
at the moment your query could be altered... have a look at this.
INSERT INTO purchase (firstname, lastname, email, address, phone, product, price, amount, created_at) VALUES
($firstname, $lastname, $email, $address, $phone, $product, $price, $amount, now())
say the user changed the value of $amount
for example
$amount = "blah ) ; DROP TABLES...
... we all know what drop tables could do
your going to want to change your query so that the input is surrounded by '
example :
('$firstname', '$lastname', '$email', '$address'
and then run your vars through mysql_real_escape_string
example:
$firstname = mysql_real_escape_string($firstname);
Sorry to have gone abit off topic but this is really important, without doing these types of validation you open your site up to a very dangerous exploit that can lead to a complete nightmare