Is this code safe for displaying and..

Anon

I am creating a message board using php and mysql. I use a textbox form (like this one) and pass the input through the following function before inserting into the table. Am I leaving this wide open for any known exploits?

function strip_nasty_stuff(&$str) {
$str = strip_tags($str, '<b></b><i></i>');
$str = trim($str);
$str = nl2br($str);
if (strlen($str) > 10000) {
$str = substr($str,0,10000);
}
}

Anon

the characters that need to be escaped in database queries etc. are single quote ('), double quote ("), backslash () and NUL (the null byte).
this is done with the addslashes() function or automatically with magic quotes ,by default enabled in php.ini ...

Anon

Thanks, I entered quotes and double quotes into my form and they came out intact when I fetched the row and displayed it so I must have magic quotes on but I will double check. Thanks for the help.