yesterday under shower I got the idea, that someone could do bad things on my site via some kind of injection technique.
What I have is textbox requesting some data which is than displayed on page, but there could be also inserted some unwanted javascript or html, so my question is, how do I “sanitize” the variables that contain data from textbox/textarea?
Your receiving script is unaware where the input came from, just that it is there. Start by determining what input (alpha numeric etc.) your application expects, then apply logic to ensure you only receive it.
Additionally, check out FIEO, the first two results by Chris Shiflett are an invaluable source of information and excellent starting point.