While I’ve not used BBCode, pondering whether to place it for listing visitor comments.
As far as input, the comments form won’t allow <> (to exclude linking and tags) and excludes special characters except for !, $, %, which will have substitutes by preg_replace on insert with str_replace on echo. So no code tags should enter in the first place.
There will be css for formatting however.