(More detail below)
Ok, with the project I'm working on, I have it technically working, it just has a security flaw I need help eliminating. I'm working on writing a simple message board. It doesn't sort by thread, or anything fancy like that. I have the messages stored as php files with 3 vars: $username $subject and $message. They are named like "1.php" - "1000.php", or however many there are. So the files look like this:
<?php $username = "yungbloodreborn"; $subject = "Test"; $message = "Hi, this is a test message... I hope it works..."; ?>
then I have one file "count.php" that has the number of the last message entered in it.
<?php $count = 5; ?>
That way my message index page simply starts at $count and counts down, and includes each message file to get it's $username & $subject. I have another page that just includes the one message file that you want to read, and displays all 3 vars.
I already wrote the script that writes the message files & updates the count file. It's all working as it should. The piece that needs to be secured is the part that takes the info from the forms, and writes it to the file. If I try to put in a quote mark, it think's it's closing the string. Also, I need to make sure that users can't enter any php (or other script) code. I don't care if users can enter actual html for links/images or other formating. I just don't want them to be able to hack my site with malicous code in a message. I've skimmed over the bbPHP code, and saw how to turn custom tags into html, I can make that work. But I haven't found anything that will strip out any scripting, or deal with qoutes.