Validating "Comment" Box

[soccer022483]

I have a comment textarea on a form. To validate it i'm going to use php regular expressions. Anyone know a good reg exp to use? Or what characters should I allow/not allow? The only one I was thinking would cause problems is "<" and ">". That would prevent html and php and others. Your comments/suggestions?

[AndyB]

The strip_tags() might do all you need.

[soccer022483]

That's an interesting idea. But should I alert the user that what they entered in invalid, or just strip the tags without them knowing.

[XenoPhage]

Be careful, however. This strips tags, but does not strip quotes. If you're storing the comment in a database, you could open yourself up to a security problem. I urlencode the strings before storing them in the database, then use the following to display it later (note, I use smarty templates, but this should work for straight php as well) :

// "Fix" the free-form text and assign it to the template
if (get_magic_quotes_gpc()) {
$smarty->assign('impact', stripslashes(urldecode($impact)));
} else {
$smarty->assign('impact', urldecode($impact));
}

XenoPhage

[kenrbnsn]

You don't need to do the urlencode/urldecode routine if you use the [a href=\"http://www.php.net/mysql_real_escape_string\" target=\"_blank\"]mysql_real_escape_string[/a]() function when you put the data into the database.

Ken