Replacing symbols with ASCII

[DrFishNips]

I only realized how vulnerable my site was after it got hacked. I patched it up by stripped all input variables of everything except A-Z and 0-9. It did the trick but I have script where users can upload articles and edit them so I don't wanna strip that of every symbol. Would preg_replacing all symbols with their corresponding ASCII work? Heres the script I'm using

function testvars($var)
{
$vars = array (

"[!]" => "!",
'["]' => '"',
"[%]" => "%",
"[¥]" => "¥"

);

 

I've ran into a few problems already like I can't replace " ' or $ for some reason. Anyone have a better solution?

[patrickmvi]

It really depends how you're handling the input.  My suggestion would be more one of not stripping out characters at all and just escaping appropriate ones.  But if you're concerncing with cross-site scripting, then you'd have to at least replace the < and > characters.  It would probably be ok to change every odd thing into an html entity, however that may cause issues when you're users are trying to edit things.  You'd probably need to provide more info on the context of this for a better answer.

[DrFishNips]

Yeah your probably right. Heres the articles page I'm talking about

http://toxicopoeia.com/plantsofthegods/index.php?get=members&page=articles&action=add

you have to register to be able to upload articles and edit them. It only takes a few seconds though theres no anti bot field or verification email bullshit.

 

Whats best way to escape out dangerous characters is it the addslashes function or mysql_real_escape_string. What I'm trying to do is make this input form immune to SQL injections and other attacks. The form adds an entry to a DB and it also creates a HTML file named id.html in the articles folder the ID being an automatically assigned number (the ID of the new entry).