You should always remember to escape your code before you submit or reference any $_GET or $_POST variables in PHP.

If you do not then someone can send url links into the GET or POST sections of a url and these can become visible in your comments or guestbook areas and spammers love to do this to get free links and fill your web site full of rubbish ads.

Always use htmlspecialchars around any input parameter:

$input = htmlspecialchars($_GET[‘parameter’]);

How to Avoid HTML Insertion Attacks