Here's the sequence of events. A person has a profile page on mywebsite.com. That page has a SEND MESSAGE link which forwards the person's AccountID to the cgi which creates a "Compose Your Message" page. When the submit button is hit all the info is forwarded to the program I have shown. All this happens on a dedicated server. The check referrers code was intended to assure that the submittal to the mail program was, indeed, coming from the aforementioned form residing on mywebsite.com. Only other members who have logged on can view the profiles noted above. At least I hope that's the case!. If I don't use the check referrer code, what would you suggest I do to ensure the sequence noted above? Thanks for any input!

If someone is logged in to your site can't you check that they should be granted access to features using the associated Session? Given my previous comments regarding SQL injection, are you sure only people with accounts can log in? With my statement about referrer in mind, do you log emails sent or check to ensure people aren't already doing this? Perl CGI Secure Authentication, Super Search for more.

The website is public. However, anyone wishing to search and view profiles of other members must have an account themselves and log on with their own account ID and PW which are checked against the database. Then, as long as the other member does not block them, they may elect to send a message to the other member. They are not allowed to see the email address of the recipient nor does the recipient see the email address of the sender. At this time it is intended that ccs of messages will not be allowed. It is true that any visitor can elect to register at the site to become a member but then they must conduct a search and focus on an individual before they can send a message.

I do plan to use placeholders with all my SQL queries.

Thanks for any additional support you can provide.