1. There is no use strict;
2. There is no use warnings;
3. The reserved words my and unless are in ALL CAPS
4. The functions lc and s/// are in ALL CAPS
5. There is a bareword (HTTP_REFERER)
6. The regex has some unnecessary grouping parentheses
7. The function ErrorHTML is not defined

Let me re-write it using some Perl Best Practices:

use strict;
use warnings;

# Just the domain name, no "www."
my $AuthorizedDomain = lc 'example.com';
my $FormDomain       = lc $ENV{'HTTP_REFERER'};
$FormDomain =~ s{
                    \A
                    https?://    # Strip off the protocol
                    (?:www\.)?   # Strip off any "www."
                    (.*?)        # Grab everything before...
                    /            # The first slash
                    .*           # And delete the rest
                    \Z
                }
                {
                    $1
                }msx;

if ($FormDomain ne $AuthorizedDomain) {
    ErrorHTML('Unauthorized access.');
}
[download]

Of course, for this to really work, the ErrorHTML function would have to be defined somewhere.

Update: Removed #5. Thanks, Your Mother.

Looks like a good redraft but #5 isn't right. The key for the hash is automatically quoted (when possible) so it's not a bareword. It's normal/legal/non-warning Perl.

cow@moo[19]>perl -Mstrict -lwe 'my %h; $h{ABC}++; DEF;'
Bareword "DEF" not allowed while "strict subs" in use at -e line 1.
[download]

No, it does nothing. It's invalid Perl due to the casing and without more code it's invalid due to the ErrorHTML sub being undefined. Be careful about copying and running stuff you don't understand. There are short snippets in any number of languages that can lock-up a computer or do real damage.

The snippet (especially the updated one a couple of comments up) gets the point across: "check the HTTP_REFERER* header and compare it with my domain (example.com)." You aren't really at example.com, so you'll need to change that as well.

*Yes, REFERER is misspelled in the http spec, so that really is the name of the header, instead of referrer.

Yeah, I know. My point was that it's possible you can do things like fork bomb or erase your entire disk with a handful of characters and they can be disguised by a clever hacker as innocuous code. When I see an example like the one you showed us which is obviously, completely wrong it puts me on guard: suspecting that the source of the code, the site, is potentially dangerous. Just advising caution.

Does it work?

Sorry Mark for the vagueness... I found the script on the web but it doesn't seem to do anything. Just wondering if it's coded right and/or if other people are using it and it's working for them.

Assuming your real question is whether HTTP_REFERER can be used to check where a given request is coming from, the answer is "it depends". It sometimes works, but not reliably. It's fairly easy to spoof a false value, or to send no value at all (some browsers may do this for extra security).

Think about why you want to do this kind of check, then ask for a way to deal with that issue.