Basically you need to get every input from the user checked
PHP Secure Class to prevent XSS Attacks
http://www.webkami.com/programming/php/php-secure-class-to-avoid-xss/php-secure-class-to-avoid-xss-1-0-1.phpValidating User Input
http://www.phpro.org/tutorials/Validating-User-Input.htmlBoth links have classes and functions are enough to validate users input.
also install Modsecurity.
simply copy those classes and functions and use them on every variable on your site.
Regards.