The first rule is to NEVER rely on anything that they give you, or any of the security precautions in your form code, because someone can always creat a less-secure form which posts to the same script.
So, whilst maxlength='4' for a year select thing is great, you should check at the other end that a) it is only four digits b) it is_numeric() TEXTAREA's don't even have a max length from memory, so if you want to limit to n characters, that's easy using strlen() to check it, or substr() to chop it. For 50 words (as per your OP), you'd can check it with : <? $words = explode(' ', $_POST['about_me']); if(count($words) > 50) { // error } else { // good } ?> or chop it with <? $text = $_POST['about_me']; $words = explode(' ', $text); if(count($words) >= 50) { $text = ''; while($i=0;$i<=50,$i++) { $text .= "{$v} "; } $text .= "... [too long]"; } echo $text; ?> Untested, season to taste. And yes, definitely striptags(), and follow the advice on the rest of the thread. BTW: Allowing some tags with striptags() offers are great security risk: let's say you allow <b> tags -- then I can go: <b onmouseover'javascript:window.close();'>hahahaha</b> -- not good!! Justin on 20/03/03 11:18 AM, rotsky ([EMAIL PROTECTED]) wrote: > I'd like to canvas opinions about what's needed to clean user input. I'm > using an HTML form where users enter simple things like name and phone > number, but also a couple of small text areas for address and a message (up > to 50 words or so). > > How would people recommend cleaning this data when it's received (via > $_POST) in the next page? Some fields (like email) I can check against a > template using ereg(), but the text areas pose more of a problem. I assume > running strip_tags() might be a wise precaution, and maybe also > htmlentities(). Anything else? > > I'd be interested to hear what other people do. > > a+ > Steve > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php