The HTTP_REFERER (all the HTTP_xxxxxx) headers are optional, may or may not be set, and can be faked (the popular phproxy web proxy script sets the HTTP_REFERER to be the same as the site being requested so that all requests look like they came from someone already on the site of the page being requested.)
The best you can do is start a session and set a session variable to some known value on the page your form is on and then start/resume the session on your form processing page and check that the session variable exists with the value you expect. This will require that the person (or a script) at least visits the page that your form is on to establish the session.
If you are having a problem with spam content, anything you can do to the form to make sure it is your form submitting to your form processing code can be figured out and bypassed. Your form processing code is the last line of defense. You must also validate all input from the form and detect the spam content or email header injection attempts and discard the submitted data.
If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.
Last edited by CFMaBiSmAd; 11-26-2007 at 01:17 AM..
Reason: fixed word