'
// in a URL parameter. Assuming you echo it, this
// would inject scripts in an XSS attack.
//
// The solution:
$NAME = $_GET['NAME'];
// Bad:
echo $NAME;
// that one is vulnerable to XSS
// Good:
echo htmlspecialchars($NAME);
// Sanitizes input thoroughly.
?>