After a marathon weekend of coding, I finally finished it (is it ever really finished?)... as expected the logic & functionality was easy, but I had a lot of reading to do about mail() injection.
I think I've plugged the injection holes... at least for the limited type of data I've got it configured to accept (I can afford to be strict and unforgiving).