Not sure if this is the right place for this question, but I am considering designing a comment page for my site. I could add limits to



disable or limit the size of images
limit and truncate the size of submitted content
another to prevent rapid submissions
diable the '<'
and record the user's ip address in case I need to block them


Does that sound about right?

those are all good thoughts.

instead of disabling the html elements, my suggestion is that you just escape them or replace them with their character code equivalent...


< character code is &lt;

I was planning on replacing < with its code equivalent, but I did not know you could escape it. What would the code for that look like? echo"\<img src='www.site.com/image.jpg>"; will still output an image.

i meant escaping for all injection. Some are listed below

strip_tags() (http://www.php.net/strip_tags)
htmlentities() (http://www.php.net/htmlentities)
mysql_real_escape_string() (http://www.php.net/mysql_real_escape_string)
addslashes() (http://www.php.net/addslashes)

hehe, I have not used strip_tags() in so long I forgot all about that one :p thanks :)

Instead of allowing HTML markup on my comment forms, I generally always only allow Markdown (http://en.wikipedia.org/wiki/Markdown).

Those that know how to use it are generally knowledgeable enough to know the purpose of HTML markup. Otherwise, I don't think HTML is really necessary (or safe) in comment forms.

You've got a fairly comprehensive list of precautions you could take to ensure a safe form. You might also limit the number of links. Often spammers post somewhat coherent comments riddled with links. That gets into the realm of moderating/censoring content which you may/may not want to get into.