Just some quick tips in this thread. Feel free to add more tips and suggestions!


Filter incoming data (e.g. submitted in forms) using tight predefined rules, e.g. with regular expressions.
Filter outgoing data (from whatever source) before your server side code, PHP or ASP or whatever, outputs it your visitors browsers.

These things will help you avoid:
SQL injection (where you use submitted non-trust-worthy data and directly inserts it into a dynamicly built SQL query)
XSS cross site scription (where you output-to-browsers data submitted by others... without e.g. checking if it's actually e.g. javascript code doing crazy stuff)

Whether you are writing a PHP snippet or an entire module, it is important to keep your code secure.
Use check functions on output to prevent cross site scripting attacks

No piece of user-submitted content should ever be placed as-is into HTML.

    * Use check_plain or theme('placeholder') for plain text.
    * Use check_markup or filter_xss for markup containing text.
    * Use the t() function with @ or % placeholders to construct safe, translatable strings.

See how to handle text in a secure fashion for more details.
Use the database abstraction layer to avoid SQL injection attacks

Use the database layer correctly. For example, never concatenate data directly into SQL queries, like this:

<?php
db_query('SELECT foo FROM {table} t WHERE t.name = '. $_GET['user']);
?>

Great post!

I fixed your signature, so it would become a real URL (bbcode instead of HTML)