I am pretty new to this have been searching the web for hours for a solution. I have viewed many validation tactics, but can't seem to find exactly what I am looking for. I would like to write a scipt to prohibit any html from being in a textarea field what so ever in our form. We are getting a lot of spam right now. Below is our form. Thanks for any help you can give or a point in the right direction. <form method=post action="/process.php" method="post" name="form" target="_blank" "><input type="hidden" name="id" value="product-id">How do you rate this item? <select name="rating"><option value="" selected="selected">-</option><option value="5" >5 stars</option><option value="4" >4 stars</option><option value="3" >3 stars</option><option value="2" >2 stars</option><option value="1" >1 stars</option></select><br>Your Name:<br><input name="reviewname" type="text" size="35"><br>Your Location (City, State)<br><input name="location" type="text" size="35"><br>Type your review in the space below:<br><textarea name="text" rows="5" cols="40" rows="5"></textarea><br><input type="submit" value="submit"><input type="hidden" name=".autodone" value="product-id" /></form> Code (markup):
This protection must be done in process.php with strip_tags or similar function in php. A bot is like a browser without JS activated, so any JS protection is useless.
You should definetly do server side validation on any input entered regardless of what client side validation you have. However, if you want to prevent HTML being entered into a textarea I recommend having a look at TMT Validator (search it at google i can't link to it). It has options to prevent HTML input as well as a load of other validators.