At that point the solution I posted was :
“… the first thing you should do is to use $_POST instead of $_REQUEST, validate the user and use a token validation system to force the user to use your own forms. ”

I reffered to these 3 methods used together, not just to replace the REQUEST with the POST.

I didn’t read the whole of your article but in point 4 you said that the user should use $_POST. Well, OK he has to, but an attacker can check the header sent (with Live HTTP Headers for example) and perform a POST request with the data he wants.
It is the token mechanism you speak of which will greatly help preventing those attacks.

I expect a little more stronger protection guidance in your part-2…