I hope you know the golden rule that every and each PHP programmer must know.
The First Rule
All the data that we've got in the global arrays such as $_POST and $_GET must be checked.
Use filter_input() method to delete not needed symbols.
There are some types of filters for this method. Some useful examples:
$name = filter_input(INPUT_GET, 'name', FILTER_SANITIZE_STRING);
$email = filter_input(INPUT_GET, 'email', FILTER_SANITIZE_EMAIL);
There is one more rule.
The Second Rule
Let's look at an example.
In our site users can write comments and we don't want them to use html tags in their comments.
Note, that they can write something as "What is <div> tag, guys?" and unintentionally break our html page. If we output this text as it is, browser will think that <div> is a html tag and the tag is not closed. So, our html page can be broken. We don't want that.
That's why before the output we have to replace all the html tags with their "safe" equivalent. We want the browser to think about these html tags not as about tags, but as about usual symbols. We can do that using HTML-entities.
The php method htmlspecialchars() makes the translation from html tag to "HTML Entity".
$text = "What is <div> tag, guys?";
echo htmlspecialchars($text);
Output will be "What is <div> tag, guys?" and will not break anything.
There is another similar function htmlentities().
It's almost the same function as htmlspecialchars(). The difference is that htmlentities() translates ALL the symbols to the html entity equivalent (if the html entity equivalent exists).
htmlspecialchars() does the minimum amount of encoding to ensure that your string is not parsed as HTML. If you use UTF-8 encoding you don't need htmlentities() and should use htmlspecialchars().
The Third Rule
Don't give SQL Injection a chance.
