The problem with the attempt to program securely is that there are many attack options. And resourceful heads, time after time, discover new methods to exploit weaknesses in source code. For this reason, one can only proceed against such attacks actively.
The US safety expert Chris Shiflett (http://shiflett.org/) once formulated his Best Practices as "Filter input, escape output." We recommend a slightly modified version, "Validate inputs, escape outputs." Whenever you receive an input from the outside, examine it before you continue to use it. Whenever you program, assume that these inputs could contain some kind of garbage from the outside, and contemplate how your system would react to it.
Only one question remains, what actually are 'inputs from the outside'? Among them are the following superglobal arrays in PHP:
$_GET
forGET
data (statements in a query string of the URL)$_POST
forPOST
data (statements in the HTTP query)$_COOKIE
for cookies...