What are the best practices for avoiding xss attacks in a PHP site

Question

I have PHP configured so that magic quotes are on and register globals are off.

I do my best to always call htmlentities() for anything I am outputing that is derive

Answer 1

If you are concerned about XSS attacks, encoding your output strings to HTML is the solution. If you remember to encode every single output character to HTML format, there is no way to execute a successful XSS attack.

Read more: Sanitizing user data: How and where to do it