Hi, I am close to launching a website that i have been working on for some time now and i plan on carrying out a significant review of security . I understand that one of the biggest areas of concern from a security point of view is how you handle user input (fields / forms etc.) I don't expect anyone to reply with tonnes of information on each, as the internet is full of help and advice BUT the one downside of the internet is 'how up to date' the information is (don't want to use / implement out dated practices) or the 'integrity' of the advice, especially in relation to this subject'. So what are your key best practices for each of the following: 1 - Validating Input 2 - Sanitizing Input Thanks in advance for your help...
This kind of question has many answers and developers have their own principles. Validating input is clearly important as a corrupt database or however you store information is flawed. Checking for integers when they should be integers, string for strings etc is one way. You can only apply so much validation thou sometimes bad data is stored but not much you can do about that. In terms of security you need to use something like PDO for your SQL work (if your using SQL) and make sure you escape all html code to prevent cross site scripting. Please remember that is not possible to make something 100%, you can of course make something 99% secure. The fact that you allow user's to send data, modify data etc pretty much means it can be broken.