Because security is such an important issue, we want to reiterate the main points of this chapter:
Check every value supplied to your program to ensure that the data you're getting is the data you expected to get.
Always initialize your variables.
Set variables_order. Use $_REQUEST and friends.
Whenever you construct a filename from a user-supplied component, check the components with basename( ) and realpath( ).
Don't create a file and then change its permissions. Instead, set umask( ) so that the file is created with the correct permissions.
Don't use user-supplied data with eval( ), preg_replace( ) with the /e option, or any of the system commands (exec( ), system( ), popen( ), passthru( ), and the backtick (``) operator).
Store code libraries and data outside the document root.