On any public form where you are gathering input from form submission, you should be using the server validation included in either Form Toolkit or CSS form builder to validate the data being entered.
Use email form validation for email form elements
use alpha numeric validation for comments boxes
using alpha numeric validation will prevent php code from being entered as it will fail if characters like ">" "<" or "?" are entered
there are a number of other validation types that can be used to secure your forms.