owen2
commented
12 years ago probably overkill, but a good idea. I'm assigning this to you. It might be a good idea to wait until after this year so that we don't introduce more bugs right before the big month.
We should escape input before querying and also before bringing to frontend. Maybe use smarty for a template engine to get rid of frontend problem and mysqli prepared statements for database querying.