Check whether the text field is allowing script tags.. If this is allowed then the hacker can pass any script in the textfield itself.. Then use filters in passing the variables through post method..coz hackers can easily knows the logic of the functionality which ur using.