Luck!

Not a lot to it; just a whole series of string replacement calls, making sure that tags balance (so that people can't enter [b] on its own trying to make the rest of your page go bold), and the usual HTML entity conversion with html_entities() or similar function.

Other things to quash include multiple new lines (especially at the beginning or end of a post), and also very long lines. CSS's word wrap features can help here.

$post=str_replace("<","&lt;",$post);
$post=str_replace(">","&gt;",$post);

Now you know they can't be adding any HTML in themselves. Now you will want to support some custom formatting, for example

[b]

[/b]

$post=preg_replace("/\[b\](.*)\[\/b\]/","<b>$1</b>",$post);

ie, you put HTML back in again, but only the bits you want.

Remember to take out things you don't want - like more than two newlines:

$post=preg_replace("/\n[^\w]*\n[^\w]*\n/","\n",$post); 

Finally, you want to throw it through nl2br().