Hello:

I am really trying to understand XSS attacks and can't seem to wrap my head around it, I would rather seem like a fool than program like one with holes in it. My problem is understanding how an attack occurs. Let's say Mary logs into the system and creates a record in the table via an html form. I have php filters and validation for the data before it actually goes into mysql table. My question is how does John attack my website? Or more important, how does he actually change files? If he were to have a log in and gains access because it doesn't take much to register, how? Is it a matter of the filter being bad and his XSS scipt is in a record and when someone open/views that
record (field) the script is launched? I have read lots on how the javascript, for example, is placed in the url or form fields but nothing explains whether the information is saved and launched via the record stored in the database.