- • Filter ALL foreign data
- • Let PHP help - htmlentities(), strip_tags(), utf8_decode(), etc.
- • Only allow safe content - don't try to guess the bad
- • Use a strict naming convention - help identify what data has been filtered
- • The bad guys are very creative - you must be, too!
