On my original php form message form script, I checked the referrer to avoid the form getting hijacked, like so:

 // Get the referring URL
$referer = $_SERVER['HTTP_REFERER'];
 // Get the URL of this page
 $this_url = "http://".$_SERVER['HTTP_HOST'].$_SERVER["REQUEST_URI"];
 // If the referring URL and the URL of this page don't match then don't send the email.
 if ($referer!= $this_url) {
 echo "Please go away.";
 }
 else {
.........
mail($dest,$sujet,$text,$headers);
 }

Then, I had two problems - one was mail injection hacks, but also site visitors with Norton Firewall that somehow kept my script from being able to gather the referrer. So that test was actually keeping certain site visitors from being able to use the form.

So I set up a mail injection hack stopper:

// hard-code this form's input variable names
$input_vars = array('name','telephone','address','town','email','message');
// check each input variable for injection attempts and kill the process if we find one
foreach($input_vars as $field){
$input = $_POST[$field];
if (((eregi("\r", $input) ¦¦ eregi("\n", $input)) && $field == 'email') ¦¦ eregi("%0a", $input) ¦¦ eregi("%0d", $input) ¦¦ eregi("Content-Type:", $input) ¦¦ eregi("bcc:", $input) ¦¦ eregi("to:", $input) ¦¦ eregi("cc:", $input)) {
die("##########"); // end the process if injection
} 
}

So far, so good.

But now, it's the recipient of the form that's getting hit with tons of spam being sent via the form :(

This is a very public site, so I can't use a distorted image of letters that the user needs to type in.

ARe there any solutions here? I've done a good deal of searching and found lots about mail injection, but not any way to solve my "form hijacked, sent to recipients" problem.

What a drag to need to spend time on this sort of thing!