Realizing there are holes in security techniques, and with the fact that I have only one or two simple comment forms to make, was wondering if I could get some feedback on the idea of doing form validations only.
There's only (3) fields;
name; letter chars only
email: underscore, hyphens, numbers and letters, @, a period
comments: since it is a finance site, the only special characters to be echoed back -- $ and % will undergo str_replace. No link posting allowed, so relevant chars here will be disallowed.
Preventing the '$' associated with injection techniques and eliminating the input of hyperlinks (and html formatting) -- won't this take care of most security & spam concerns?
(ip address and date collected by hidden input)
Even with sessions: users having cookies turned off would be out of the loop [ unless something more could be done with sessions?]. And the Captcha techniqiue can be sought into and even discourage users from inputting data in the first place.