How to protect against XSS attacks

Dear Gods, My message evaluation function, cannot prevent ' >
= ' >
such as this kind of code attack, but I see the csdn forum is OK, how to do like the forum is not afraid of such characters attack Ah?

If there is no way, if I only accept Chinese and English (case), numbers, punctuation and so on to write ordinary articles will use the characters, how to write code?

Thank you!

Reply to discussion (solution)

Use the Htmlspecialchars function to filter when submitting comments

can use PDO AH ~ ~

Brother, forgive me for being stupid. If I were such a code structure:
$bid =$_post[' bid ']
...
$sql = INSERT INTO "abc" (' Bid ') VALUES ($bid) ....



How do I use the filter? For example, I submitted the input Name=bid,htmlspecialchars function is how to use it?
In addition, I learned a bit, what is this function for? http://www.w3school.com.cn/php/func_string_htmlspecialchars.asp says to convert pre-defined characters to HTML entities. I see the characters haven't changed? What is the reason?
& (and number) becomes &
"(double quotes) becomes"
' (single quote) become '
< (less than) becomes <
> (greater than) becomes >

Also, if the conversion, my understanding is in the database display of the conversion, then why display on the page is the original user input style and content? Do you want to solve a code or something?

