posted 19 years ago
If you don't know where to start, I would resume it in one point:
VALIDATE ALL YOUR INPUTS: check every parameter from GET/POST HTML forms, from URLs, and check that everything you send to the database has not malicious characters.