Unfortunately, recent experience has shown that not all people are
respectful of the intention of your html forms. In fact, the same sorts
who send out spam email also "target" on-line forms, particularly those
with a TEXTAREA, and typically past in large chunks of text including
links to their websites. They hope that your PHP code will save, and
then display, their material, whatever that may be.
You probably don't want to accomodate them.
I would like to know who in the world is doing a lot of this, so I have
written a PHP function that will test for common properties of form
abuse, including any html tags in the text, and if found, will stop
processing, sending a short "sorry" message to the perpetrator, and
also log the occurance on my abuse log file. I can then ban the IP
addresses of repeat offenders (some will try hundreds of times!).
What I want you to do, especially if
you display any "guestbook" results, is to add these two lines
to your code that processes form results (before you store them):
require_once ('/home/jensen/abuse.php'); // log all questionable submissions
abuse($whatever_textarea_string);
The first argument of abuse is the string coming from your textarea,
an optional second argument is the maximum size comment you want to
allow, the default is 1000 characters.