dunc wrote:Turn 'register global variables off'
There's no real need to turn them off as long as you write the script as if they were off and always initialize variables before use (this especially includes arrays.)
dunc wrote:Not sure whether to use post or get methods?
Both are used quite often. Typically, use submissions will be posts while many pages themselves will use gets i.e. ?some=thing
dunc wrote:Check the data contains no hashes or semi colons
Hashes or semicolons? The filtering needed varies a bit depending on the destination, however many systems need get_magic_quotes_gpc() and it's related functions to get the information into a base line that all systems can then go from afterward.
dunc wrote:Make sure the variable contains only letters or only numbers, depending on variable type
It's not that concrete. The point of the commandment is mostly to tell you that you must always validate and verify data coming from outside sources. Sometimes even internal sources need to be checked. This is part of the concept of defense-in-depth.
dunc wrote:What else would you suggest?
Reading all the threads in the Security & Theory and Design boards.