Here is what I think we need to do:

* Remove our reliance on register_globals. This is going to be a lot
  of messy work since $foo now becomes $_GET['foo'] or $_POST['foo']
  or $_SERVER['DOCUMENT_ROOT'] or $_COOKIE['authname'].

* Chack all args before handing off to DB queries. We are not going to
  use magic quotes, so before we can give a random argument (like uid)
  to a DB query, we have to check it.

  We should add some utility functions for this. Generally, all args
  need better checking.

* Anything that goes to the shell needs even tighter checks.

* Kill all the stripslashes call on data that came from the DB since
  they are not needed (no slashes stored in the DB).

* Make sure we use addslashes on all stuff going into DB slots (update
  and insert statements). 

apc.php
approveproject.php3
approveproject_form.php3
approveproject_list.php3
approveuser.php3
approveuser_form.php3
approvewauser.php3
approvewauser_form.php3
beginexp.php3
boot.php3
buildui/bui.php3
buildui/nssave.php3
cdrom.php
cdromcheckin.php3
cdromdownload.php
cdrominstallhelp.php
cdromnewkey.php
cdromqueue.php3
cdromrequest.php3
clearapc.php
cvsweb/cvsweb.php3
dbdefs.php3.in
defs.php3.in
delaycontrol.php3
deletegroup.php3
deleteimageid.php3
deletenodelog.php3
deleteosid.php3
deleteproject.php3
deletepubkey.php3		X
deletesfskey.php3		X
deleteuser.php3
doc.php3
doc/docwrapper.php3		X
docwrapper.php3			X
editexp.php3
editgroup.php3
editgroup_form.php3
editimageid.php3
editimageid_form.php3
editsitevars.php3
emailus.php3
endexp.php3
error.php3
expaccess.php3
expaccess_form.php3
explist.php3
faq.php3
foo.php3
freenode.php3
freezeuser.php3
index.php3
joinproject.php3
loadimage.php3
login.php3		X
logout.php3		X
menu.php3
menu.php3.java
modifyexp.php3
moduserinfo.php3	X
netemu.php3
newgroup.php3
newgroup_form.php3
newimageid.php3
newimageid_ez.php3
newnode-defs.php3
newnode_edit.php3
newnodecheckin.php
newnodelog.php3
newnodelog_form.php3
newnodes_list.php3
newosid.php3
newosid_form.php3
newproject.php3
news.php3
nodecontrol.php3
nodecontrol_form.php3
nodecontrol_list.php3
nodemon.php3
nodemon_all.php3
nodessh.php3
nodetipacl.php3
nologins.php3
nscheck.php3
nscheck_form.php3
password.php3
people.php3
plabmetrics.php3
plabstats.php3
projectlist.php3
pubs.php3
reqaccount.php3
request_swapexp.php3
resendkey.php3
sc2002tut.php3
search.php3
sendemail.php3
showexp.php3
showexp_list.php3
showexpstats.php3
showgroup.php3
showimageid.php3
showimageid_list.php3
shownode.php3
shownodelog.php3
shownodetype.php3
shownsfile.php3
showosid_list.php3
showosinfo.php3
showproject.php3
showproject_list.php3
showpubkeys.php3		X
showsfskeys.php3		X
showstats.php3
showstuff.php3
showsumstats.php3
showthumb.php3
showuser.php3
showuser_list.php3
software.php3
spewlogfile.php3
spewrpmtar.php3
spitnsdata.php3
start.php3
survey.php3
swapexp.php3
tbauth.php3
toggle.php			X
top2image.php3
tutorial/docwrapper.php3	X
tutorial/tutorial.php3		X
updateaccounts.php3
updown.php3
verifyusr.php3
verifyusr_form.php3
webdb/webdb.php3
webdb/webdb_backend.php3
widearea_info.php3
widearea_redirect.php
widearea_register.php
wideareakeys.php3