<?php
// $_POST security
// case 1: if the var is integer
$var = (int)$_POST["param1"];
// case 2: if the var is string
$var = $_POST["param1"];
// local-file-inclusion (LFI) & remote-file-inclusion (RFI) fix
$var = str_replace(".","",$var);
$var = str replace("/","",$var);
// SQL injection fix
$var = stripslashes($var);
$var = mysql_real_escape_string($var);
// now you can append it to your SQL query
// secure print (xss fix)
print htmlspecialchars($var);
?>
