You could try something like mysql_escape_string [php.net]

gutabo,
You might want to also consider looking into addslashes(). It will escape most of the common characters that MySQL chokes on single quote ', double quote ", backslash \ and NUL.

[php.net...]

If I remember correctly - you might like also to look at htmlspecialchars() which will encode any html as their entity counterparts.

The html code of course will not be 'executed'. If you want their html code to actually be exectuted, and are not concerned about how the page presentation may be affected, then addslashes()& StripSlashes() is the way to go.

asp

There are really two problems that you need to address:

malicious SQL code
A user might insert malicious SQL code into your form. This is solved by escaping backslashes, null-bytes and single quotes with the addslashes function. If magic_quotes_gpc is on then PHP will automatically escape those characters in all data from GET and POST actions and from COOKIEs.

malicious HTML code
A user might insert malicious HTML and JavaScript code into your form which is executed when a surfer views the page with a javascript enabled browser. To solve this problem escape <>"' with their html entities. If you want your users to use some kind of markup then I would suggest using style codes like the ones used in this and many other forums. All html markup that the user enters will be escaped, only the style codes will be transformed to html markup. This way you have control over which kind of markup you allow. The other approach would be to use a html parser to parse the html entered by the user and check that prior to inserting it into the db. With this approach you will only find known malicious code (less restrictive, less save, more coding), while with the latter approach you will allow only known good code (more restrictive, saver, easier to code).

Andreas