Following are the points to be considered for making safe php application.

  1. USE PDO or mysqli
  2. Never trust user inputs. Consider every variable viz $_POST, $_GET, $_COOKIE, $_SESSION, $_SERVER as if they were tainted. Use appropriate filtering measure for these variables.
  3. To avoid XSS attack use php’s builtin functions htmlentities, strip_tags, etc while inserting the user input data into the database.
  4. Disable Register Globals in PHP.INI
  5. Disable “allow_url_fopen” in PHP.INI
  6. Don’t allow user to input more data than required. Validate input to allow max number of characters. Also validate each field for relevant datatypes.
  7. Disable error reporting after Development period. It might give information about database that’ll be useful to hackers.
  8. Use one time token while posting a form. If token exist and matches the form post is valid otherwise invalid.
  9. Use parametrized database queries
  10. Use stored procedures

You can google for each point for more details. HOpe this helps

Resource: http://stackoverflow.com/questions/11839523/secure-against-sql-injection-pdo-mysqli