in addition to all the other techniques suggested, do a quick search of the form fields to look for the string of characters "http://" if my script finds that in one of my form fields, it sends back a 403 Forbidden rudy http://r937.com/