How to disallow words in a fillable field within a form?

I don't understand. Here is the code as it stands. What can I add to it to disallow the word "http" from being accepted?

<label for="Miscellaneous">Miscellaneous Info</label>

        <textarea name="Miscellaneous" cols="32" id="Miscellaneous"></textarea>    

You could test the form field for http and HTTP and do something based on if that block of text contains an instance of either or both of those. Instead of echoing "Go Away" you could just exit the script at that point so it wont send anything.

Example

<?php

if($_POST['name']) {

$name = $_POST['name'];

if (preg_match("~\bhttp\b~", $name) or preg_match("~\bHTTP\b~", $name)) {

echo "Go Away";

} else {

echo "Hello ".$name;

}

}

?>

<form name="feedback" method="post" action="">

<label for="name">Name

<input type="text" name="name">

</label>

<input type="submit" name="submit" value="submit">

</form>

Where do I insert that code?

sneedbreedley wrote: Where do I insert that code?

Well you would include it in the php code that processes your form. Are you using php?

In the script you will most likely be getting the the information from the MIscellaneous form field:

You then check what is being passed before either allowing it to go through or stopping the script.

<?php

$Miscellaneous = $_POST['Miscellaneous'];

if (preg_match("~\bhttp\b~", $Miscellaneous) or preg_match("~\bHTTP\b~", Miscellaneous)) {

exit;

} else {

echo "Hello ".$Miscellaneous;

}

?>

Can you post your php script here?

This is all there is:

<?php include 'form-base.php';?>

sneedbreedley wrote: This is all there is: <?php include 'form-base.php';?>

Open the 'form-base.php' file and see whats in it?

<p>Please fill out all the following items and then hit SUBMIT at the bottom of the page.</span><br>

        <br>

              <span class="nowrap">

        <label for="Dealer Code">Dealer Code (If Known)</label>

        <input name="Dealer Code" type="text" id="Dealer Code" size="30">

        </span><br>

        <br>

                      <span class="nowrap">

        <label for="Miscellaneous">Miscellaneous Info</label>

        <textarea name="Miscellaneous" cols="32" id="Miscellaneous"></textarea>       

        </span><br>

        <label for="Manufacturing Plant">             Manufacturing Plant</label>

        <input name="Manufacturing Plant" type="text" id="Manufacturing Plant">

        </p>

          <p>

            <label for="Unit Number">                         Unit Number</label>

            <input type="text" name="Unit Number" id="Unit Number">

          </p>

          <p>

            <label for="Interior Trim & Seat Type">     Interior Trim & Seat Type</label>

            <input type="text" name="Interior Trim and Seat Type" id="Interior Trim and Seat Type">

          </p>

          <p>

            <label for="Body Color (Lower & Upper)">Body Color (Lower & Upper)</label>

            <input type="text" name="Body Color (Lower and Upper)" id="Body Color (Lower and Upper)">

          </p>

          <p>

            <label for="Accessory Codes (optional)"> Accessory Codes (optional)</label>

            <input type="text" name="Accessory Codes (optional)" id="Accessory Codes (optional)">

           </p>

           <p>

            <label for="Rear Axle Ratio">                   Rear Axle Ratio</label>

            <input type="text" name="Rear Axle Ratio" id="Rear Axle Ratio">

           </p>

Nope that is not php form processing code.

What page is the form information sent to when you click the submit button? It must go to a processing page. Whats in the action="" of the form?

<?php

if ($_POST){

    if (!filter_input(INPUT_POST, 'email', FILTER_VALIDATE_EMAIL)){

  echo ('<div style="background-color:red;padding:10px;color:#fff;font-size:16px;">

            <b>' . $_POST['email'] . '</b> Email is not valid. Return to previous page and enter a valid email.

          </div>');

        } else {

        $body = "";

        foreach ($_POST as $param_name => $param_val) {

            $body .= "$param_name: $param_val\n";

        }

        $headers = 'From: ' .$_POST['email'];

        if (mail("[email address removed by Mod]", "Contact form submitted.", $body, $headers)) { 

            header('Location: http://www.winvoices.com/success.php'); 

  } else {

  $message = 'Sorry an error occurred. Please try again later.';

        }

    }

}

?>

That works great, However if the http appears attached to other letters, it goes through. For example ahttpa. But I don't think that will be a problem.

I have removed the email address from the posts to stop these being harvested. I was in two minds whether to do so because when I go to the website, I see that the email address is left unprotected as in

<a href="mailto:[emailaddress]">[emailaddress]</a>

Google 'email obfuscating' for more info. Also have a look at Email Address Encoder

Thanks Ben, I should have done that before posting.

You guys are fantastic! I will use that encoding tool on all my websites.

Ideally you should have a form processing script that validates form fields for correct entries, sanitizes form input fields and thwarts spam so robots can't exploit your forms.   What you have now is not adequate. 

If you can't do this yourself, hire someone who can.  Or use a 3rd party service like Wufoo.   If you don't lock things down properly, spam bots will use your server as a spam relay.  And trust me, you don't ever want that to happen because your site will get blacklisted for spamming. 

Nancy

  <input type="url" name="homepage" pattern="[A-Za-z]{3}">

The pattern attribute you would replace with one to disallow the http.

To use reg ex see -

http://www.w3schools.com/js/js_regexp.asp

I think the reg ex would be -

(([\w-]+\.)+[\w-]+(/[\w- ;,./?%&=]*)

But I am not certain, maybe someone else can check this please?