OWASP - Open Web Application Security Project is an open group with hundreds of volunteer experts from around the world focused on understanding and improving the security of web applications and web services.
OWASP Top 10 Most Critical Web Application Security Risks is a powerful awareness document for web application security representing a broad consensus about the most critical security risks to web applications.
As a general rule, never assume that input you get from users is safe. It is easy for malicious users to send potentially dangerous information from the client to your application. To guard against malicious input:
o Filter user input to check for HTML tags which might contain script. Apply HTML encoding to strings.
o Never echo (display) unfiltered user input. Before displaying untrusted information, encode HTML to turn potentially harmful script into display strings.
o Never store unfiltered user input in a database.
o If you want to accept some HTML from a user, filter it manually. In your filter, explicitly define what you will accept. Do not create a filter that tries to filter out malicious input; it is very difficult to anticipate all possible malicious input.
o Do not assume that information you get from the HTTP request header in the HttpRequest object is safe. Use safeguards for query strings, cookies etc. Be aware that information the browser reports to the server (user agent information) can be spoofed.
o If possible, do not store sensitive information in a place accessible from the browser. For example, do not store a password in a cookie.
See http://www.owasp.org.