SQL Injection


I have this function to clean data upon writing to the database…

function ValidateInput($value) {
	$value = mysql_real_escape_string(strip_tags(trim($value)));
	return $value;

Someone has managed to insert a peice of javascript with the above function wraped around the variable? Have I missed something?


Don’t see how strip_tags didn’t remove all js, but XSS has hundreds of hacks so I’m not that surprised.

Try http://htmlpurifier.org/ and see if that helps.