Use POST rather than GET in forms Turn off register_globals and use $_POST instead Don't make important actions too easy Try to force the use of your own forms Learn from your peers!