From [w3.org ]:

rows = number [CN]
This attribute specifies the number of visible text lines. Users should be able to enter more lines than this, so user agents should provide some means to scroll through the contents of the control when the contents extend beyond the visible area.

cols = number [CN]
This attribute specifies the visible width in average character widths. Users should be able to enter longer lines than this, so user agents should provide some means to scroll through the contents of the control when the contents extend beyond the visible area. User agents may wrap visible text lines to keep long lines visible without the need for scrolling.

Your code as shown is only limiting the size of the visible textbox (75 characters wide by 6 text lines high) not the size of the content.

HTML provides no method to explicitly limit the number of characters entered in a textarea element. While browsers may apply some limits (typically 32 or 64 kB) the only true control is having a client-side or server-side script.

It's time for you to invest a little research and time in to captcha.

[captcha.net...]

- John

They put one link in every line where the name, address,...

Those two should be easy enough to validate for shouldn't they, if there's not meant to be a link (a href code) in either of those fields, then kill the script and do not send the mail

Then in the comments, if you can get the script to detect "more than one" URL do the same, kill it after multiples.

It's perhaps harder when it comes to comments, but it depends if you allow all HTML, BB codes etc.. if you disallow any one of them, then say so and subsequently block any script that attempts it.

I'm a complete amateur at scripting but recently I've had success by blocking posts with

[b][[i][/i]/url][/b]

because nowhere in my site should it appear (but spammers try it all!), and if it is used it's 99% spam, 1% someone who thought they knew how to do something.. the 1% will learn, the 99% I've filtered..

Sad perhaps, but it's working for now

[edited by: SuzyUK at 9:46 pm (utc) on Oct. 8, 2006]

Thanks for the suggestions folks.

I'll read up on the W3.org data on forms as my knowlege of it is way outdated.

<TEXTAREA NAME="COMMENTS" ROWS=6 COLS=75>

How are they able to force it to take much more text?

Simple. They're not even using your form. They're querying the script directly via command line or a program that makes direct requests.

Get on a linux box via telnet or SSH and execute this command:

curl -d 'first_name=spammer&Email=spam@example.com' [yoursite.com...]

This is a direct request to your form processor without ever visiting the form. Multiply the concept by an automated process that sniffs out your form fields and figures out which ones go directly into mail headers and you have a very large problem. If your quote script sends you an email, it's even worse. They can even insert a BCC field into the headers and send out thousands of emails, and you won't even know - because it's a BCC.

Check this thread out [webmasterworld.com]. The solution lies in how you write your backend processor and how well it cleanses the incoming data.

And log all the data being submitted to your form processor. It's outright scary what you find once you start doing that.

Look into one of the many formmail programs available for free. Depending on the capabilities you chooses, most can prevent form spam, verify the form data and clean up any SQL injection attacks that may be sent.