<?php 
  // $_POST security
  // case 1: if the var is integer
  $var = (int)$_POST["param1"];
  // case 2: if the var is string
  $var = $_POST["param1"];
  // local-file-inclusion (LFI) & remote-file-inclusion (RFI) fix
  $var = str_replace(".","",$var);
  $var = str replace("/","",$var); 
  // SQL injection fix
  $var = stripslashes($var);
  $var = mysql_real_escape_string($var);
  // now you can append it to your SQL query

  // secure print (xss fix)
  print htmlspecialchars($var);

?>