How can I avoid users entering php code into my form

How can I stop users entering <?php ?> into my forms.

I am using urlencode() and then using urldecode() when echoing data onto my page what is the best thing to do??

UPDATE:

I am writing to th开发者_如何转开发e database with the text urlencoded:

htmlentities (urlencode($_POST['postmessage']));

I am using:

<?php echo htmlentities (urldecode($row['content'])) ?>

to echo the saved data. Is that enough??

---

I would suggest you to use the HTML Purifier for that:

HTML Purifier is a standards-compliant HTML filter library written in PHP. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited,
secure yet permissive whitelist, it will also make sure your documents are standards compliant, something only achievable with a comprehensive knowledge of W3C's specifications.

---

Well, you can get rid of all the characters that don't belong in a URL

$var = filter_var($url, FILTER_SANITIZE_URL);

Then you can check that it is a valid URL

$var = filter_var($url, FILTER_VALIDATE_URL);
if($var == false)
    die("Bad URL");

---

what are you doing with the code? execute it? when you echo the php code theres no need to worry server side... you rather want to do html_entity_encode to keep your website from beeing messed up or beeing injected by iframes/javascripts by user posts