That would work, but it would leave junk characters in the message. Strip_tags() will remove the tag completely.

<?php
while(comment!= strip_tags($comment)) {
$input = strip_tags($comment);
}
?>

You'd be better off using a captcha script to weed out automated posting.

You'd be better off using a captcha script to weed out automated posting.

Not necessarily [captcha.net]--or at least a captcha may not be sufficient on its own:

Several groups have created programs that can pass many CAPTCHAs over 80% of the time

-b

I like captcha too, but you must understand the accessibility issues that come with it.

[webmasterworld.com...]

You could use htmlspecialchars() function... that would replace the <>'" symbols with ASCII characters, so when comments are displayed, everyone would see exactly what that person has typed :)

we seem to be crossing up 2 seperate issues here

stopping comment spam
you need to add, either, captcha or premoderation for comments

if you want to clean all posts stopping possible XSS and SQL injection then that is a different thing all together.

It wouldn't be a good idea to rely soley on captcha, sql injection or xss can be manually pasted into your form. At a minimum, you'd want to filter all input something like this:
foreach($_POST as $k => $v){
//if you don't want line feeds
$v=preg_replace("/\r*\nŠ%0aŠ%0d/","",$v);
${$k}=htmlspecialchars(mysql_escape_string($v));
}
// usually I specify what I want to pass rather than what to block for example:
$v=preg_replace("/[^a-z0-9!@#$%^&*()_,\.\?\[\]\{\}-/i","",$v);

$v=preg_replace("/[^a-z0-9!@#$%^&*()_,\.\?\[\]\{\}-/i","",$v);
is missing the closing ] should be:
$v=preg_replace("/[^a-z0-9!@#$%^&*()_,\.\?\[\]\{\}-]/i","",$v);

Thanks Everybody for your feedback!

Maybe I am thinking too not far enough; but if I simply filter out the < and the >, there is no way anybody could execute anything, right? No php, no html, no nothing? Or did I miss anything? I am not expecting mass traffic and an e-mail is sent for every comment; so I give it a try. My site is live now. Example for the Comment here:

http://www.example.com/content.html?id=3009 (add a "." after www. Comment form is at the bottom of page)

Feel free to leave a test comment ;-) I am still in the launching phase and can sort them out.

[edited by: coopster at 4:23 pm (utc) on April 17, 2006]
[edit reason] generalized url [/edit]

You might want to have text saying HTML is not allowed. Then check the message for tags and if found, don't display the message at all. If you just filter the tags, spammy text will still remain and ugly up your pages.

I have is so any comment that has the string http,www,> or < in it returns a error, as FourDegreez said you will still get spammers submitting.