Currently, I limit an address to 100 characters with no rules about what it must be composed of. Punctuation, digits, letters; all are welcome.
I use strip_tags upon saving the address to my database (prepared statements). I use $this->escape() (Zend Framework) when echoing it to a page.
I don't want to go crazy, but I think that I need to be a little more restrictive. What am I missing?
