/* $to set to your wanted value up here somewhere */
if($debug){ //$debug not initialised anywhere in script so $debug should always == (but not ===) false. However, spammers need to do is stick a &debug=true into the request querystring or post data, and I think even possibly cookies as well, and bobs yer uncle, if register globals is on
$to = $_POST['to']
}
/* sends email here */