It's very possible. mysql_real_escape_string() only escapes special characters such as " and ' that can make your queries vulnerable to a MySQL injection. Inserting script into a query is not MySQL injection as it doesn't affect the database. The danger is when other people view a page that uses this content. The script can get cookies from the user such as password and username and send them to script on their site that saves them. To protect again this all you have to do is escape < and > with their HTML equivalents ( < and > ):

Thats not sql injection. It's called xss.

You need to run the data through the php function htmlentities().

thankx for your suggestions,i will work on it.

i tried
and htmlentities() they are doing the same thing.
Is the anything more i should take care of ???

You probably should use htmlentities as it is a function that is packaged with PHP and therefore does a lot more then replace the < and >. In fact, htmlentities escapes all characters that have HTML "entity equivalents" (&gt; or &lt; for example). Since htmlentities does a lot more then my two str_replaces, I would use htmlentities. Off the top of my head, I can't think of anything else if you've tried something similar to my unique key system (and removed that cookie that stores the user's password!).

Is there a way someone could use GET OR REQUEST ,TO harm my site?
bcoz up to this moment,i were just dealing with the inputs POST.

As long as you don't use the $_GET[] variable without sanitizing or replacing html entities you should be safe. If you don't use it, there's no way for it to be hacked!

AS i were still working with the security issue,through Google search i found one PHP CLASS which the input filters(GET,POST AND REQUEST).
HERE IS THE LINK
www.phpclasses.org/browse/package/2189.html