Thanks for the link. I've looked at lots of articles like that. I don't want to sanatize, I want to prevent. Shouldn't the code be as simple as $comments = $_REQUEST['comments'] ;
if ($comments contains any code or links line <a href = or anything like that) { GoTo error page} else post the comment to the database Obviously this isn't code, it's the idea. I have code that checks for a valid e-mail addresses. Sometimes I do that with Spry, sometimes with PHP validation. Come to think of it a Spry validation script that checked for malicious code would be a very elegant solution. If anyone has any ideas, please let me know. Preventing this kind of problem should be easier than loading up something like htmlpurifier 4.0 (a ton of code) that, as far as I can tell, sanitizes the code, which I don't want, rather than simply preventing html or java special characters from being added to the text.
... View more