How do I secure the "tell a friend" feature of SunShop 3.5.1?

In Sunshop 3.5.1, the Tell a Friend page allows a user to specify the From address, To email address, subject, and message body.  This allows someone or a scripted robot to send out spam (albeit at a slow rate) through the server without any checks. 

I buttoned this down by removing the subject and message elements, and hardcoding them into the script.  Here's how:

1. Edit the send_to_friend template, and remove the fields for subject and message. 
2. Edit the lang_eng.php file - change the instructions for tellinstructions - it should not mention editing your personal message anymore.
3. In the main index.php , search for this: action == "mailtofriend"

Within that block, add these lines:

eval("\$tofriend['subject'] = \"".addslashes($lang_index[tellsubject])."\";");
eval("\$tofriend['message'] = \"".addslashes($lang_index[tellmessage])."\";");

You can edit the subject and message within the lang_eng.php file, to whatever you like.