Remember that PHP security is a LAYERED thing. There is no one single fix that turns security on and locks it down tight.
In general, sessions are secure unless you leave a hole elsewhere. XSS attacks work in PHP when you let javascript get posted into an HTML input field so this
<input name='whoops' type='text' />
...
echo $_POST['whoops'];
is insecure because I could enter <script>....malicious code ...</script> whereas this
<input name='whoops' type='text' />
...
echo strip_tags($_POST['whoops'
]);
is more secure because it eliminates javascript from the input stream. PHP can bit you on the bum in surprising ways, for instance the whole $_SERVER array is injectable by javascript and $_REQUEST is easily manipulated as well. So never, ever do
$aaa = $_SERVER['PHP_SELF'];
always
$aaa = strip_tags($_SERVER['PHP_S
ELF']);
Also, read up on the FILTER mechanisms in PHP 5.2+
http://www.php.net/filter_var