When run under the web server, your script will get information from a number of environment variables in a way specified by the common gateway interface (CGI) protocol. You can check that these are set as you would expect, but since a perl script invoking your script directly could also have set them, it isn't infallible.

First is QUERY_STRING; perl's CGI module uses this to get param information, but it will also by default look on the command line or STDIN. Turn this off with "use CGI -no_debug;" and verify that parameters you expect are present.

Verify that $ENV{REQUEST_METHOD} is GET or POST (whichever your form specified). It's also available from the CGI module as request_method(); other variables are similarly available - see CGI.

Check that HTTP_REFERER (sic) is the page containing your form.

That should stop most casual attempts to run your script. You can also set permissions so that only the user the webserver runs as has access to the script.

To further secure things, use a captcha image on your form page and/or a session (via cookie, parameter, or path).