TextArea Data Sanitizing Before Storing In MySQL

Here's the problem scenario. I have a textbox in which users can input comments. However, if they include HTML tags or <A HREF='javascript:window.alert("Example of a link that displays an alert box");'> link </A>, and when the comments are outputted onto the page from the MySQL database, the开发者_运维问答y actually execute. I'm looking for a way to prevent that from happen and only allow a few HTML tags to be used (like bold, italics, underline).

I'm using this function on my comments before sending the comments from the textarea to be stored on the mysql database:

function sanitize($data)
{
// remove whitespaces (not a must though)
$data = trim($data); 

// apply stripslashes if magic_quotes_gpc is enabled
if(get_magic_quotes_gpc())
{
$data = stripslashes($data);
}

// a mySQL connection is required before using this function
$data = mysql_real_escape_string($data);

return $data;
}

Well, there was no answer how to allow certain tags to remain intact.

strip_tags() function, which comes first to one's mind, is not safe at all, it will allow dangerous JS attributes.

So, you have to use some utility like HTML Purifier, or some regexp that will allow only certain tags and eliminate all others or for for BBCode.