过滤

sql注入过滤

$user=mysql_real_escape_string($_POST['user']);

xss过滤

htmlentities($srt);