*Never* rely on the value of %magic_quotes_gpc% Escape SQL query variables with the native database functions when available Use %AddSlashes()% when no better alternative exists Escape shell commands with %EscapeShellArg()% and %EscapeShellCmd()%