Busy — Tue, 02 May 2006 08:36:45 +0000

Is the above code in sendtofriend.html ? if so, is .html phased to php (via htaccess)
If thats ok can you show us the tag please.
Withouit the whole code, bits like $visitorNamernEmail: $visitorEmailrnComments:rn$comments might make sense, it doesn't look right but it could be. is :rn meant to be a new line? new line is \n\r

The above code looks like it will work, but ideally everything from the form needs to be $_POST['variablename'] and the <= does not catch aa or just a in all fields.
$visitorName should be checked to minimum value of 2 or 3 (some Asian names can be short), $visitorEmail should be checked it is an email, contain letters and or numbers then a @ then minimum 2 then a . then minimum 3 or 2 and . and 2
for emails I personally check for 3 things:
$_POST['email'] = trim($_POST['email']);
if(strlen($_POST['email'])<5)
if(empty($_POST['email']))
if(!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+([\.][a-z0-9-]+)+$",$_POST['email']))

The comments at minimum should check there is no code being submitted, remove html tags or convert them to ascii
strip_tags($thereinput)
htmlspecialchars($thereinput);
htmlentities($thereinput, ENT_QUOTES);
strtr($thereinput, array('(' => '(', ')' => ')'));
addslashes($thereinput);
ereg_replace("%","\\%",$thereinput);

are a few methods, each doing different things

The $sendto should also check that it is just one email address (just check there is only one @), this can stop BBC injections - your form being used by spam bots.
Depends how far you want to go, you could also check the form has been sent from your domain (cuts out spam bot usage)