SQL injection is a malicious code injection technique.It exploiting SQL vulnerabilities in Web applications.
A cross-site scripting attack is one of the top 5 security attacks carried out on a daily basis across the Internet, and your PHP scripts may not be immune.
// it prevents from SQL injection. For eg: user enter single quote in input fields and input
// data insert into db then insert query gets error and hacker knows db relate info
$comment = strip_tags($_POST["comment"]);
// Combine both functions to filter user data
$comment =strip_tags(mysql_real_escape_string($_POST['comment ']));