SQL Injection via user control panel

SQL Injection via user control panel

I have created a website with a backend admin panel. The user can input
any text, formatted using TinyMCE editor for example, however when the
user submits the edits, the information goes to an SQL database for
storing and direct usage on their user website/page...
The problem happens when someone inputs say something like < ? php
somecrazycode(hax); ? > inside the text area which goes to the SQL
database to be displayed directly on their page. I would like to prevent
the use of the PHP language all together, having it filter out the php
code or simply demolish the websites ability to interperate the code..
I was wondering, if right before the SQL update Query, I could do
something like this
preg_replace ("php", "", $query)
so that < ? php would turn into something like < ? ? > thus not being able
to be understood by the page to be executed.
and what the possibilities would be if that did work for example a small
list would be to preg replace php, PHP... the users are highly ever likely
to use the term "php" in their text languages and if they did I'd rather
they email me with a problem rather then alowing a vulnerability...
I would very much like to NOT make this very complicated for now because
its not like I carry bank information in the database, I just want them to
not mess with eachother or the database aside from their own private page.