SQL Injection

Hey,

I have this function to clean data upon writing to the database…


function ValidateInput($value) {
	$value = mysql_real_escape_string(strip_tags(trim($value)));
	return $value;
}

Someone has managed to insert a peice of javascript with the above function wraped around the variable? Have I missed something?

Thanks

Don’t see how strip_tags didn’t remove all js, but XSS has hundreds of hacks so I’m not that surprised.

Try http://htmlpurifier.org/ and see if that helps.