Make sure to remove tags via:
$var_that_will_be_displayed = strip_tags( $var_from_user_input_via_POST_or_GET_or_COOKIE );
if you are going to display or mail it as part of a link(email or URL), you might do this instead:
$var_that_will_be_part_of_a_link = strip_tags( rawurldecode( $var_from_user_input_via_POST_or_GET_or_COOKIE ) );
See this page:
http://www.cgisecurity.com/articles/xss-faq.shtml
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php