Short answer: give up now and improve your validation.

Longer answer: your form specifies an API in the form of a set of parameters that your CGI program expects to receive as an HTTP POST (or GET, depending on how lenient you are) request. At some point this information will be visible in a format that a determined programmer can write something to submit a request against you. You could try doing some obfuscation by maybe having Javascript which massages and encodes things before submitting that. The problem is you have to give the potential "attacker" that code so they can make legitimate submissions (to say nothing of making it harder-to-impossible for your "primitive/limited" browser users).

So yes you can make a non-trivial-sized speed bump, but you're only going to keep out the kiddies on tricycles not the determined black hats in four wheel drive vehicles.