I have the following in my form mail:

$find = array("/\r/", "/\n/", "/bcc\:/i", "/Content\-Type\:/i", "/cc\:/i", "/to\:/i");
$test_name = preg_replace($find, "", $name);

$find = array("/bcc\:/i", "/Content\-Type\:/i", "/cc\:/i", "/to\:/i");
$test_comments = preg_replace($find, "", $comments);

if (($name!= $test_name) ¦¦ ($comments!= $test_comments) ) {

$injection_error = "1";
$error = "1";
include ("simple.html");
exit;

Now, what's *supposed* to happen is, it'll check the $name field variable for form injection attempts. It's supposed to do the same thing with the $comments variable (except allowing /r/n so the end user can put in line breaks if the message is long - but it;ll check for the other header discrepancies).

If it finds injection attempts, it'll return you to the form with a message saying "An injection attempt has been detetced." or something to that effect. It does this properly for the $name variable - but if I try to inject somethign in the $comments filed, it takes me to my customized "forbidden" page (Error 403, I think it is)

Now, why would it take me to my 403 page, and not back to the form? Id it something with my htaccess file, maybe? (Although I really don't know why it would do that if it was...) Just curious as to why this happens. (Otherwise, it works great :) ) I'm just wondering because, if someone uses the form and *doesn't* have a good htaccess file or customized 403 page, will the email go through, or will it just go to the standard 403 page?

Any help would be appreciated :)