I moved this to Website Technology in the hope that it would get a little more activity. I'm a big fan of "tell a friend" functionality. If you search for "secure tell a friend script" you get some hits, but I'd be interested to see if someone has experience with the techniques needed to avoid rogue use.

Hi. I wrote my own "Tell-a-friend" script which uses the users email address and name.

It prevents spamming since the outgoing email has the senders name and address on it, so it better be going to only friends.

That information comes from the database as part of their profile so they are not apt to spam.

I'm glad you asked this because I'm wanting to do something similar so it made me think of something I hadn't thought about.

I think I'd definitely limit the fields to "email" and "sender's name".

Another thing I would do is limit the number of times a person could refer a link to someone to prevent malicious/annoying email. I'd also make sure there was no way the mailer worked unless the referer was from the page you have the "send to a friend" link on.

If you want the person sending the link to be able to enter their name, how about just limiting the "sender" field to 15 characters or so? If you want to prevent links from being sent, I'd use a string checker to check and make sure there's no "http://" or "www".

As a (very) basic measure, you could create a md5 hash for the time (and additional seed words?) and have it as a hidden input on the tell-a-friend page, then, when the page is POST'd, you could compare the hash against the new time hash, and if its within 2 seconds, don't send it, assuming its spam. Not perfect by any means, but it may cull some of the more basic spam you might face.

Its late though, so someone will surely come along and point out all the flaws while I'm asleep :)