I have users click on a link sent to their email that takes them to a form (say, register.php) to complete their registration.

I have a check upon form submission in register.php:

if(isset($_POST['submitted']) and $_SERVER['REQUEST_METHOD'] == 'POST') {
    //register user in database
}

My question is: could someone technically circumvent this formal registration process by simply creating a custom http POST request with $_POST['submitted'] set? If so, what's a good way to check for this? I have checks for someone trying to GET to the registration page in an unauthorized manner but I feel like someone POSTing to the page isn't secure enough. Should I even be worried about this if I decide to use HTTPS? I hope this makes sense. Thanks in advance.

The issue you describe is called cross-site request forgery. The attack can be prevented by generating a token, and setting the value of a hidden input in the form to the token. Also, set a session variable to the token value. In your PHP form receiving the post data, check if the session token and the sent token match. If they match, the form came from your site.

Here is another stack overflow question that includes more details about preventing Cross-Site Request Forgery: How to prevent Cross-site request forgery (CSRF) effectively in PHP.

Best way is to install a captcha

https://www.google.com/recaptcha/intro/index.html