How can I prevent Javascript coding?

[frank_solo]

I've been alerted that someone can attack my site using XSS. I have a search box on my site and I've tested it by simply writing "<script>alert('test')</script>" When I do this a pop-up box does come up displaying the word "Test" I have written a preg_replace previously but now I want to add something to it to prevent <script>.

 

This was my original code

$search = mysql_real_escape_string(preg_replace('/[^\w\'\"\@\-\.\,\(\) ]/i', '', " $_POST['search']));

 

This is what I thought might work but no luck

$search = mysql_real_escape_string(preg_replace('/[^\w\'\"\@\-\.\,\(\) ]/i', '', "/<script[^>]*>.*<*script[^>]*>/i", $_POST['search']));

 

Could anyone please help and tell me how to modify the code to prevent javascript?

 

Thanks

[The Little Guy]

preg_replace("/\<(script).*\>.*\<\/(script)\>/isU", " ", $data);

[KevinM1]

Or, you could use htmlentities to replace tags with their entity counterparts.  The script text (i.e., <script>blahblahblah</script>) would appear on your screen as text, rather than execute.

[frank_solo]

Thank you so much "The Little Guy" it worked like a charm. 

[ZulfadlyAshBurn]

Please mark topic as solved. Thanks (: