Well, first question you'll need to deal with is: what if the user does not enter exactly 10 digits (ignoring space/punctuation for now)? For instance, any of the following could be entered in a 20-character field, and each could be considered valid:
1-555-555-1234
(800)555-1234 x5678
+55 5 5555 6789 (international dialing)
So one option would be to just accept that what the user entered is valid and output it the way he/she entered it.
Another option would be to strip out everything that's not a digit/letter, see how many characters are left, and if it's 10 then use substr() to grab the parts and separate them with the desired punctuation; if not 10 then just output what the user entered.
A more draconian option would be to supply separate fields for each part of the number, restricting them to the exact number of digits; so you might have 4 fields on the form: area code (3), exchange (3), number (4), and an optional field for extension (maybe 6 characters just to be safe). This, however, would restrict you to US-style numbering systems, so may not be a good idea if your site is intended to support international business.
