Exactly the same way you should already prevent injection with every other value. That it’s specifically a user agent string is irrelevant. When writing it to an HTML page, pass it through htmlspecialchars: echo htmlspecialchars($user_agent);. When using it as part of a database query, use prepared statements, or whatever escaping function the the database API gives you.
3
solved Prevent User Agent malicious code with PHP [closed]