I've made a function to deal with CSS and XSS injecting but its still getting through.
Someone said the following to me, but I'm not sure what it means:
On your sanitize_input function, do a strip_tags to strip all html tags that may have been added through the form. Read php.net on strip_tags.
Here's my code:
private function sanitizeInput() {
foreach($_POST as &$post) {
$post = $this -> db -> real_escape_string($post);
}
}