Mark Jaquith recently gave a good presentation on writing secure WordPress themes and plugins at Wordcamp Phoenix 2011. The notes are also available. The main points are: Protect against SQL Injection by using the API whenever possible (because it automatically handles data sanitization). If the API can’t do what you need, use $wpdb->prepare(). Protect against Cross-site Scripting by sanitizing any output with esc_html(), esc_url(),… [more]
All posts tagged Data Sanitization
Joel Spolsky wrote an interesting article on ways to make coding mistakes obvious , like using semantic prefixes on variable names. If you have unfiltered data from the user, you can make the variable something like $usFoo so that you always remember that the data is unsafe, and won’t output it unfiltered (therefore preventing malicious code injection).