Keeping out malicious code

mcl

I have a "contact me" form which allows users to send comments. The form uses three fields: name, email, and comments.

It's the "comments" field I need help with ...

Occasionally I get some junk coming through that contains URL's, or whatnot, and I'd like to filter those things out. (I can't tell if these junk contacts are human or machine generated). Ideally, I want to recognize the content and kill the process, perhaps redirecting the user.

Can this be done w/ preg_match_all ?

I'm trying to disallow chars such as "<", ">", and "@". If those chars show up, then it's not someone I want to contact, or want contacting me.

Further, I'd like the limit the length af any comment to 500 chars to prevent someone froom flooding the data field.

Thanks - Mark

Weedpacket

[man]strlen[/man] can be used to get the length of a string. [man]strpos[/man] can be used to tell if and where a character appears in a string. Yes you can use preg_match (no need to use preg_match_all) to check for several characters at once.

_theworks

Validating any kind of user input is important.

[man]Trim[/man] will trim out whitespace and other uneeded cr*p and
[man]strip_tags[/man] will get rid of any nasty php or html.

to limit the amount of characters in a string will be a simple [man]if[/man] construct

<?
if (strlen($string_2_validate) < 256) {

//string validation here

} else {

echo 'im sorry the string is too long..';

}
?>