terminate the query when html is found

have played with this alot lately trying to modify it so that if html or bbcode, or some type of other malicious code is found in a submitted description, then it will terminate the submission and reject it automatically, have tried a few different ways and it ends up terminating all submissions regardless of if the description has any html in it.. any ideas?

Code:

<?php
function suggestsite($topicid, $title, $url, $description, $email = ""){
global $db, $dbprefix, $config, $phrase;

$topicid = intval($topicid);
if ($title == ""){ return $phrase["submit_notitle"]; }
if ($url == "" || $url == "http://"){ return $phrase["submit_nourl"]; }

if ($config["requiredescription"] == "true"){
if ($description == ""){ return $phrase["submit_nodescription"]; }
}

// validate topic
$sql = "SELECT * FROM " . $dbprefix . "topics WHERE topicid = " . dbSecure($topicid);
$top = $db->execute($sql);
if ($top->rows < 1){ return $phrase["submit_missingtopic"]; }

// check for it being in the directory
if ($config["allowduplicateurls"] <> "true"){
$sql = "SELECT * FROM  " . $dbprefix . "links WHERE url = '" . dbSecure($url) . "'";
} else {
$sql = "SELECT * FROM  " . $dbprefix . "links WHERE url = '" . dbSecure($url) . "' AND topicid = " . $top->fields["topicid"];
}

$chk = $db->execute($sql); // run the actual check
if ($chk->rows > 0){ return $phrase["submit_urlindirectory"]; }

// no double submissions
$sql = "SELECT * FROM  " . $dbprefix . "queue WHERE url = '" . dbSecure($url) . "'";
$chk = $db->execute($sql);
if ($chk->rows > 0){ return $phrase["submit_urlinqueue"]; }

// ok, insert into the queue
$sql  = "INSERT INTO " . $dbprefix . "queue (postdate, topicid, website, url, description, email, ip) VALUES (";
$sql .= time() . ", ";
$sql .= dbSecure($topicid) . ", ";
$sql .= "'" . dbSecure($title) . "', ";
$sql .= "'" . dbSecure($url) . "', ";
$sql .= "'" . htmlspecialchars(dbSecure($description)) . "', ";
$sql .= "'" . dbSecure($email) . "', ";
$sql .= "'" . dbSecure($_SERVER["REMOTE_ADDR"]) . "')";
$db->execute($sql);

// and return
return $phrase["submit_success"];
}
?>

[Join us @ facebook]

What is the error that you get?

that code isnt showing an error, i took out everything I have done except adding htmlspecialchars to

Code:

<?php
$sql .= "'" . htmlspecialchars(dbSecure($description)) . "', ";
?>

[Join us @ facebook]

You can try something like :

if ( strip_tags($description) != $description ) return $phrase["submit_nodescription"]; ?>

That would work for html, but for bbcode you will need more

thanks man~! this does work in stopping them from sending submissions with html, showing that they have used "no description" in turn terminates the submission.. heres what my spammed submissions loook like below, but what you suggested does help in fighting against it:

[ Accept | Reject | Edit ] http://uw-docs.uwyo.edu/ThePlan-President/_comments/000002bd.htm - Nice site! Thank you! <a href="http://uw-docs.uwyo.edu/ThePlan-President/_comments/000002bd.htm">hydrocodone</a> hydrocodone http://uw-docs.uwyo.edu/ThePlan-President/_commen
Title:  Description: Nice site! Thank you!

<a href="http://uw-docs.uwyo.edu/ThePlan-President/_comments/000002bd.htm">hydrocodone</a>
hydrocodone
http://uw-docs.uwyo.edu/ThePlan-President/_commen
Email: 
URL: 

thanks again Nik, anymore suggestions?

[Join us @ facebook]

I guess this will work.

Now if you add a CAPTCHA verification you will be bullet proof but I guess it is not so necessary.

[Guest]

[62.882]

bizwiz, Googlebot, Msnbot, Yahoo crawler