Thank you for that small hack, that DID finally get rid of it in its entirety. I am not very sure how much help this will be, though I believe it will help a little bit..I decided to throw these regexes on all the form fields.. For the name, address1, address2, city, country I removed the colon (:) and removed the words TO, FROM, SUBJECT. If the user tries to write those in, it's removed before it saves to my database.

For the email address, I applied the same regexes but I also applied the join [ ,] thing you mentioned earlier. The ZIP code is also using this join feature, that way anything after the first comma or space is removed and not worried about.

After running a few tests, it seems to be working fine. The user can still add fake data to the fields, but the harmful codes have been removed and all that's left is text. That's no big deal :).

Thanks for all your help everyone!