Users input messages into my database all the time, and I'm very worried about them injecting SQL, javascript, and other things into their messages. I've experimented with adding slashes to everything, but I'm afraid I've probably left some loophole open. So I decided to replace all quotes and apostrophes with character entities (" rather than " ), but am worried about the search implications.

I'd like to be able to allow people to use most HTML tags, but I'd like to avoid any possibility of them injecting nasty SQL, using javascript, etc.

So far the steps I've taken are:
1: Replace all apostrophes and quotes with character entities.
2: Addslashes for good measure.
3: Only give select, insert & update permissions to sql. (Maybe when I have more storage space I'll remove the update and just insert a new entry for each revision they update)
4: Use a function which replaces all but a chosen list of HTML tags with character entities.

Here are a few questions:

1) Is replacing all quotes and apostrophes with their character entities going to affect the search engines? Will they display the title: ( UserName's Message: "Hello World" ) or ( UserName's Message: "Hello world" ) if that page comes up in the serps?

2) As importantly, will the search engines understand that Username's Message *means* Username's Message? On the same lines, if I create an intrasite search function, when I query my database and grep for "Username's message," will that match "Username$#39;s message," or are they different on the cellular level?

3) What are the general guidelines when it comes to securing forms on a database-driven site? Just addslashes to everything before it goes in, then strip them on the way out? Use regular expressions to replace words like "javascript" with benign character entities?

Thanks in advance for any advice.