Well, there are (at least) two rules to follow about "form-to-email".

First, do not fill in the to: or cc: fields (or any other field that can have a delivery address) from any form data. Hardwire it into the program:

print SENDMAIL <<"END";
To: some.person\@my.domain.only
Subject: $FORM{subject}

$FORM{detail}
END
[download]

Second, if you use any form data in the header (like subject above), make very sure that the data cannot possibly contain newlines or anything resembling newlines. Otherwise, a bad guy can insert a newline into the data (not using your form, but using their own formstuffer), and insert a to/cc/bcc field, thus losing the protection provided in the previous point.

Does that help?

-- Randal L. Schwartz, Perl hacker
Be sure to read my standard disclaimer if this is a reply.