Do this, it changes html into entities:
$comments = htmlentities($comments, ENT_QUOTES | ENT_IGNORE, "UTF-8");
You might also want to apply it to the username, email and subject.
To validate email, use this:
public function checkEmail($email)
{
$valid = (function_exists('filter_var') &&...