Hi Webmasters,
How does a person make sure that malicious users don't insert malicious code into <textarea> fields on forms? I'm not sure I understand how you could validate this field. I am developing form letters that use <textarea> fields and I'd like to ensure that I'm not opening our webserver for attack (or making the data inserted open to others).

Here's more details:
The form input gets sent via POST to a second php page. This second php page reads a .rtf (rich text format) file (as text) into a php variable.

Code:
//open the rtf file, read-only
$fp = fopen ( $filenameInitial, "r" );

//read our template into a variable
$output = fread( $fp, filesize( $filenameInitial ) );

It then performs a search/replace for different placeholders that I've put in the .rtf file. They look like this... <<placeholder>>. This placeholder is replaced by a text which the user just typed into the web form.

Code:

// close the connection to the rtf file
fclose ( $fp );

// inside php script, replace the placeholders in the template with our data
$output = str_replace( "<<Name>>", $Name, $output );

Then I send the output to the browser screen.

Code:
// send the generated document to the browser
echo $output;

***This information doesn't get placed in a database. It simply gets pushed back into an rtf file which the user is allowed to download. They then open it in their favorite flavor of word processor.

People would be accessing this form via our public website, so no authentication would be asked of the users.

Thanks in advance for your feedback.