Hi, just wondering if any malicious code can be entered into this code below. I really rather doubt it, but thought I might ask anyway.

<?php
$string=$_POST['data'];
$word1=$_POST['word1'];
$word2=$_POST['word2'];
$word1=stripslashes($word1);
$word2=stripslashes($word2);
$string=stripslashes($string);
$string=str_replace("$word1","$word2",$string);
$word1=htmlentities($word1);
$word2=htmlentities($word2);
?><body style='background-color:tan;'>
<form action=<?php echo $_SERVER['PHP_SELF']; ?> method="POST">
Enter text document here:
<br>
<textarea rows=40 cols=130 name="data"><?php print $string; ?></textarea>
<br><input type='text' size=75 name="word1" value="<?php print $word1; ?>"> < -- Remove this
<br><input type='text' size=75 name="word2" value="<?php print $word2; ?>"> < -- and replace it with this
<br><input type='submit' name="queryButton" value="Submit">
</form></body>

Where is it going? If it's going to your DB you should apply mysql_real_escape_string(). If it's just going to be used as text/html, then it should be fine (I assume that's why you're using htmlentities-though keep in mind, htmlentities will leave the markup visible). If you want to actually strip html tags, try using strip_tags() (http://us2.php.net/manual/en/function.strip-tags.php). You can also define a whitelist of tags to allow (such as <b>, <i>, etc.).

It's just for generic usage. It doesn't go to the database and if some random person wants to use it that's fine too.