It's probably safer and better to call htmlentities() on the string instead of counting on strip_tags().
strip_tags() won't remove html special chars like '"&
e.g., if your code is:
 ?>)
and
$myVar = '">something goes here<';
then you end up with:
![]()
something goes here<">
Which is pretty obviously the root of an XSS hole; an actual exploit is left as an exercise for the reader.
