Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
The Manual wrote:This feature has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 6.0.0. Relying on this feature is highly discouraged.
And from the manual under User Submitted Data
The Manual wrote:You may also want to consider turning off register_globals, magic_quotes, or other convenience settings which may confuse you as to the validity, source, or value of a given variable. Working with PHP in error_reporting(E_ALL) mode can also help warn you about variables being used before they are checked or initialized (so you can prevent unusual data from being operated upon).
For simple input you should look at validating the type of input received, if it's written to a database use something like mysql_real_escape_string() and if the data will be displayed use htmlentities(), with ENT_QUOTES to make any html characters safe for display. (And stripslashes() for any remainining slashes)
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
It depends on your form but if you are only receiving input (text only) validating input is a good place to start. What the form will be used for is a good place to start working from as each option will have different types of security applied to it.
Form sends data ( contact form ) - htmlentities() / validation with javascript or php
Form sends data to database - htmlentities(), mysql_real_escape_string() / or any relevant function to the database
Form uploads files - check that file matches certain specifics , check that file is an uploaded one before copying it
These just a few basic ones you should aim to have imo.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering