For a message being posted through a form, I want to allow the genuine user to input whatever charcaters they need to write what they want. But I want also, to stop input of malicious code. Is this regex the shortest way to do it well/properly?

  unless ( $title =~ /^[\w\d\s\ \'\!\?\\$\&\(\)\-\+\;\:\@\,\.]+$/ && $title =~ /[^x0]/ ) {
You'll see that I have included a ; and so I guess someone could insert something to delete part/all of my db. But the script in question uses a db connection with no delete privileges. So can I allow the ; in there?

Are there any other 'characters' or symbols you know I should block?