PHP remove html/other uncessary tags? - need help

[a-a-a]

Not sure if this is the right place. But..
How do remove html/other uncessary tags in php? Do I use strip tags? I've read tutorials, but I don't know how to apply it to my script.

Basic idea of my script: (actual script is too long to post it all)
First, it is an html form for the user to enter a 'short message'.
It gets compared with the 'correct message' (using php if/else), and if it's right, they get redirected elsewhere.
And I have several pages set up like this, with many different variables in total.

I've read that you shouldn't trust what the user inputs, so I want to make my script safer. How do I make the input part safer? (The entered 'short message' should only contain letters and numbers. Nothing else.)
I think I have to use strip tag, but I don't really know how or where to use it.

Help is appreciated. Thank you.

 

[engel]

I think that htmlspecialchars() will do what you're looking for. If the user enters any HTML or PHP or anything that shouldn't be there, the characters like < and > are changed to &lt; and &gt; respectively (?). This will prevent most chances of attack, as you need to use these characters to initiate PHP and to use any tag in HTML.

 

[Slothie]

strip_tags FTW

 

[str3zz]

new to php still confuse my self about it. sorry can't help

 

[Thewinator]

Also make sure not to accept the null byte. ('%00' or '\0')

 

[savager]

$_POST['message']=strip_tags;
OR
$_POST['message']=string_replace('<', '');

 

[conker87]

You add arrays to that:

$_POST['message']=string_replace(array("<",">"), "");

 

[a-a-a]

Thank you everyone!
One more question. Do I add this after the html form? Or before the if that compares the variables? Or somewhere else?

 

[engel]

It should be wherever you are evaluating what the user inputted into the form.