Lets say I have Text that is a POST textarea. In that field I should be able to put whatever I'd like to write. Such as XSS, SQL, and other eventual bad codes. For the markup I'll use the BBCode, so I'd like to display the code without making it work.
The thing, of course, that I wanna avoid, is that the DB gets screwed! Is there an extremely safe way to do this?

Ben aslında yapmak adımlar şunlardır:

1. Content-Type ve charset'in belirtin Content-Type: text/html; charset=UTF-8

2. Girişini sınırlandırın. Ex.: Max 500 characters

3. Htmlentitiesi kullanın () $GoodText = htmlentities($Text, ENT_QUOTES, "UTF-8");

4. Mysql_real_escape_string kullanın () $GoodText = mysql_real_escape_string($GoodText);

5. Bu DB saklayın $db->store($User, $GoodText);

As far as I read the step 3 and 4 are quite the same, but I'd like to get an explanation.

Anyway, is this a working method?
Should I also use tokens for POST forms?