If I have varchar set to say (20), does it matter if the form allows for more. And this form is going to be in the access panel and probably in a password protected folder. Will that provide more security?
MySQL will automatically truncate -- beware some other SQL engines will throw an error instead, but on mySQL; no problem it just chops off the extra -- but beware that it will just chop off the extra as that too can cause... issues. That's why you put it on the form as a reminder, but don't rely on it server side and if using mySQL, set the field size to the limit you want, or on other engines manually chop it off. If it's in an admin panel under lock and key, I'd go ahead and not bother with stripping out markup since you might want to add markup to it. If it were public, I'd run strip_tags on the $_POST values when plugging them into the arrays, and maybe even a htmlspecialchars on them so as to strip out any code the user might have entered. There's a reason things like forums escape markup to show it as plaintext (htmlspeicalchars) and then use various regex to implement bbCode instead.
In response to trentdog [LIST=1] [*]<form action="insert.php" method="post"> [*]subject: <input type="text" name="subject"> [*]category: <input type="text" name="category"> [*]<input type="submit"> [*][B]</form>[/B] [/LIST] HTML: