--- directdebit.module	2010-03-10 16:47:06.000000000 +0100
+++ directdebit.patched.module	2010-12-14 10:55:43.000000000 +0100
@@ -164,19 +164,25 @@ function directdebit_form($form_values, 
 function directdebit_form_validate( $form, &$form_state) {
   $fields_to_use = variable_get('directdebit_field_list', array( 'directdebit_bank_withdraw_permission'));
 
   if ( $fields_to_use['directdebit_bank_withdraw_permission'] &&
     ( !isset($form_state['values']['directdebit_bank_withdraw_permission']) || !$form_state['values']['directdebit_bank_withdraw_permission'][1])) {
     form_set_error('directdebit_bank_withdraw_permission', t('You must give us permission to withdraw money from your bank accuunt or choose another payment method'));
   }
   
+  $fields = directdebit_api('#title');
+  foreach (array('directdebit_bank_account_number', 'directdebit_bank_id') as $key) {
+    if(!preg_match ( '/^([\d- ])+$/', $form_state['values'][$key])) {
+	  form_set_error($key, t('%d may contain digits, dashes and spaces only. Please enter valid %d', array('%d' => $fields[$key]['#title'])));
+	}
+  }    
+  
   if (!is_array($form)) {
     // This is only necessary for directdebit_process_post processing aka direct calling
-    $fields = directdebit_api('#title');
     foreach ($fields_to_use as $key => $value) {
       if ( $value) {
         if ($fields[$key]['#required'] && empty($form_state['values'][$key])) {
           form_set_error($key, t('Please enter %d', array('%d' => $fields[$key]['#title'])));
         };
       }
     }
   }
@@ -214,9 +220,9 @@ function directdebit_process_post(&$paym
       }
       else {
         $payment_details[$key] = check_plain( $post);
       }
     }
   }
 
   return $payment_details;
-}
\ No newline at end of file
+}
