form.php

<?php

require dirname(__FILE__) . '/functions.php';

$module   = md5('MODULE_NAME');
$page_url = sanitize($_SERVER['PHP_SELF']);

if (isset($_POST['firstname']))
    require dirname(__FILE__) . '/save.php';

if (isset( $_SESSION[$module]['firstname']))
    extract($_SESSION[$module]);

$csrf_salt = base64_encode(openssl_random_pseudo_bytes(16));
$_SESSION[$module]['csrf_salt'] = $csrf_salt;
?>

<form class="signup" action="<?php echo $page_url ?>" method="post">
    <input type="hidden" name="csrf_salt" id="csrf_salt" value="<?php echo $csrf_salt ?>"/>
    <table>
        <tr>
            <td><label for="email">E-mail <span class="asterix">*</span></label></td>
            <td><input type="text" name="email" id="email" maxlength="255" value="<?php if (isset($email)) echo $email ?>"/></td>
        </tr>
        <tr>
            <td><label for="password">Password <span class="asterix">*</span></label></td>
            <td><input type="password" name="password" id="password" maxlength="20" /></td>
        </tr>
        <tr>
            <td><label for="password2">Confirm password <span class="asterix">*</span></label></td>
            <td><input type="password" name="password2" id="password2" maxlength="20" /></td>
        </tr>
        <tr>
            <td>&nbsp;</td>
            <td><button type="submit">Submit</button></td>
        </tr>
    </table>
</form>

functions.php

<?php

function sanitize($input, $strip = true, $charset = 'UTF-8')
{
    if (is_array($input)) {
        $output = array();
        foreach ( $input as $key => $data ) {
            $output[$key] = sanitize($data, $strip, $charset);
        }
        return $output;
    }
    else {
        // Strip HTML tags if set
        if ($strip) $input = strip_tags($input);

        // Encode special chars
        $input = htmlspecialchars($input, ENT_QUOTES, $charset);

        if (get_magic_quotes_gpc())
            return mysql_real_escape_string(stripslashes($input));
        else
            return mysql_real_escape_string($input);
    }
}

save.php

<?php

$secured = array();
$secured = sanitize($_POST);
extract($secured);

foreach ($secured as $key => $value) {
    $_SESSION[$module][$key] = $value;
}

// idea from http://stackoverflow.com/a/10469574/289404
if ($csrf_salt !== $_SESSION[$module]['csrf_salt']) {
    echo '<br class="clr"><p class="notice">Bad request token. Please try again.</p>';
    return false;
}

// Check required
$required = array(
    'firstname' => 'First name',
    'surname'   => 'Last name',
    'zip'       => 'ZIP',
    'email'     => 'E-mail',
    'password'  => 'Password',
    'password2' => 'Confirm password',
    'agree'     => 'Agreement',
);

foreach ($required as $key => $value) {
    if (empty(${$key})) {
        echo '<br class="clr"><p class="notice">Please enter: '.$value.'.</p>';
        return false;
    }
}

if ($password != $password2) {
    echo '<br class="clr"><p class="notice">Passwords missmatch.</p>';
    return false;
}

if (!valid_email($email)) {
    echo '<br class="clr"><p class="notice">Bad e-mail.</p>';
    return false;
}

unset($_SESSION[$module]);

All good in theory, but with errors (aside from the form not working as firstname is never filled out). The main error I can see is using extract() ... try to avoid this as you can get unexpected results (eg. $module could be changed by a $_POST var while pretty useless unless there is more code to create sessions). The problem is in the save.php:

extract($secured);

foreach ($secured as $key => $value) {
$_SESSION[$module][$key] = $value;
}

// idea from http://stackoverflow.com/a/10469574/289404
if ($csrf_salt !== $_SESSION[$module]['csrf_salt']) {

Here you are extracting $csrf_salt AND setting in the $_SESSION, so really there is no csrf protection on this form (unless you consider no csrf_salt is the protection)

bpearson, do you have any better example than this one?
Extract is always getting things into trouble.
name="register[something]" is always a better option to work with.