I've been working through the same issue. There is a tutorial in the Apache forum about regular expressions.
[webmasterworld.com ]

I'm not sure that I have the full answer yet to the security questions, but these two threads are helping.
[webmasterworld.com ]
[webmasterworld.com ]

If all else fails, there is the NMS FormMail script to fall back on. It's a well tested and secure Perl solution. If what you need doesn't have to be PHP, and the PHP stuff still seems over your head, the NMS script is the way to go.

Thanks, I appreciate your help. I thought my thread was going to be ignored.

I also had someone/bot trying to hack my form over the weekend.
It was a "chfeedback" form modified for better security(?). It processed the users name, email, and message.

The hacker or bot put email headers with CC and BCC into the "email" form field. The script uses the submitted "email" form field for the "From" part of the message. As a result, those headers were added to the email below the proper headers.

I got one copy and another copy was stuck in my deadletter file. So, I dont think it worked.

I have since enhanced the security more by hardcoding the To and From parts, putting everything submitted by the user into the message part, and searching it for "To:", "CC:", or "BCC:".

Actually Brak, I'm a bit hardheaded and couldn't let it go=) I have made a decent form that verifies everything and removes dangerous characters that I could think of. One last thing before I include the image verification is verifying where the visitor came from. Is there a way to make the script check httpref and if they did not come from a page I specify, keep the script from running?

Is there a way to make the script check httpref and if they did not come from a page I specify, keep the script from running?

If your referring to checking the referer. It would cause problems with those that have it disabled. Why not use sessions? Other than that I am not familiar with httpref.

I honestly have never put a lot of time into my forms, but I have never had that many problems (yet) so have had no reason to, but here is some of what I use to check forms, not the best but seems to work for now.

Email, I got this regex from somewhere, I don't remember, and modified it a little so it would be a little more relaxed on what it allowed,

First I check the size, I chose 70 as a stopping point,

strlen( $_POST[ 'email_variable' ] ) > 70

Then check the email,

!eregi( "^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,6})$", $_POST[ 'email_variable' ] ) )

For name I just replace characters I would prefer they didn't use and also limited to 70 characters,

preg_replace( '/(\$¦\'¦\"¦\(¦\)¦\=¦\>¦\<)/', '_', substr( $_POST[ 'name_variable' ], 0, 70 ) )

For the message,

str_replace( "\n", "<br />", wordwrap( substr( htmlentities( str_replace( "<br />", "", html_entity_decode( trim( $_POST[ 'message_variable' ] ), ENT_QUOTES ) ), ENT_QUOTES ), 0, 8000 ), 60, " ", 1 ) )

Like I said, these aren't the greatest, if someone has improvements let me know. This isn't all the security I use, just what I use to check email, name, and message.

*note, for those seeing the winking smiley face it's ) and replace the ¦ with a solid line (shift+\)

Thanks, Twist. That is essentially what I have done but I also include the Subject along with the others that check for those characters. I don't know anything about sessions but I guess this should be good enough to do the job. Thanks again to everyone.

Sessions are a unique ID that is created for a visitor on one page and passed along to the next page(s). You could create a session at the beginning of the form link page. If a person tried to connect directly to the form, they wouldn't have a session id and you could send them to the form link page. Not a great explanation of sessions but there are probably a million tutorials online about them.

Thanks again=)