Prevent execution of certain codes

I am currently making an inbuilt Mail system for y website. What it does is whenever someone send a mail it stores in the db with the id of the user it is being sent to. Then when the other user opens it inbox it can see the mail sent to it. The problem is when the user reads the e-mail, and if the e-mail contains some PHP code for RFI. The site can be easily hacked. Any solutions? I read a post using preg_replace to remove <a></a> tags I think it can be done with <?php ?> tags or <script></script> tags too.

Thanks

 

Did you try it for yourself and found that PHP code gets executed?

 

If you don't want any HTML to proceed as well, use htmlentities().

 

Well Lordo, I dont need to, that was the vulnerability used by me to hack my first web site :|

And Kynlem a bit more explanation?

 

I am asking about this because I think it is related to some hosting settings (in PHP or apache). When
I try that, it does not het executed!

Can you give me an example or PM me a URL to try that?

 

nvrmnd fixed

 

What did you do?

 

well I was trying in my localhost. I put it up on my hosting and worked u were right.

 

lol I told you
But you need to protect your localhost now! Someone called born2hack is using it

 

lol born2hack i guess its me.