Take for example
$varpublishername = $_POST['publishername'];
<input type="text" value="<?php echo $varpublishername; ?>" name="publishername" id="publishername" />
You are taking the value of publishername from POST and echoing it back in the html without doing an htmlentities over it. This can allow a hacker to inject some html/js code in the page.