Last update:   29-10-2021

Superglobals arrays

All of PHP's superglobals arrays should be considered tainted. Even $_SERVER array is not fully safe, it contains some data provided by the client. Only $_SESSION is safe.

Filter Input

Server-side filtering is important for security. Client-side validation is important for usability. Ctype functions are always preferred over regular expressions. This is because of the fact that ctype uses a native C library, processes faster.
<form method="POST">
    Username: <input type="text" name="username">
         <select name="color">
    <input type="submit" name="btn_submit">
... 5 lines
You should force the user to provide correct information (ctype_*)
if (isset($_POST['btn_submit'])) {

    $clean = array();

    if (ctype_alpha($_POST['username'])) { // Look Here
        $clean['username'] = $_POST['username'];
    if (in_array($_POST['color'], array("Red", "Blue"))) {
        $clean['color'] = $_POST['color'];
... 5 lines

Escape Output

Escaping output protects the client and user from potentially damaging commands. For html escape use htmlentities(). For sql escape use mysql_escape_string($sql).
<form method="POST">
    Message: <input type="text" name="message"> 
                <input type="submit" name="btn_submit">
    Example: <br>
    John's message is "Hellow World!"
... 2 lines
if (isset($_POST['btn_submit'])) {

    echo "nr" . htmlentities($_POST['message']); 
        // John's message is &quot;Hellow World!
        // Will convert double-quotes

    echo "nr" . htmlentities($_POST['message'], ENT_QUOTES); 
        // John&#039;s message is &quot;Hellow World!
        // Will convert both double and single quotes
... 3 lines

Remote code injection

        A B C D E F