I am truing to filter html characters out like this
$user = $_POST["user"]; //Get username from <form>
mysql_real_escape_string($user); //Against SQL injection
strip_tags($user); //Filter html characters out
But for some reason this is not filtering html characters out. I don't know why, could it by mysql_real_escape_string
?