Joel Spolsky wrote an interesting article on ways to make coding mistakes obvious, like using semantic prefixes on variable names. If you have unfiltered data from the user, you can make the variable something like $usFoo so that you always remember that the data is unsafe, and won’t output it unfiltered (therefore preventing malicious code injection).
Mark Jaquith recently gave a good presentation on writing secure WordPress themes and plugins at Wordcamp Phoenix 2011. The notes are also available. The main points are: Protect against SQL Injection by using the API whenever possible (because it automatically handles data sanitization). If the API can’t do what you need, use $wpdb->prepare(). Protect against […]