Do they check for bad user data?




Do they check for missing user data?





Is this code subject to SQL injection attack?
i.e. mysql_real_escape_string






Is this code subject to cross site scripting attack?
i.e. htmlentities






What do the database tables look like?  Are all the columns the right type?





Do they check for database errors, and database connection errors?





Does the PHP code do any work that the database could?
One line of SQL might replace ten lines of PHP.








How big is the thing?







Is there any repeated code?






HOW DOES IT WORK?