http://www.example.com/script.php?id[]=1
This will make $_GET['id'] an array.
---------
I thought from the way I've written it, it is clear that by those things I mean the same. And you've already defined sanitize and validate.filter/escape/sanitise/sanitize
"escape" is what most "sanitizing" functions do - mysql_real_escape_string() for example.
No.In my opinion validating, filtering and sanitizing, all used on input, are terms used for the same process: making sure only data you want can enter your script/application. Within that process several things can happen. Checking what the input is, returning an error or message, returning true/false, logging something, stripping data, etc etc. It all depends on the specific situation what should be done exactly.
This would be validating. You check and tell the user if it was valid.Checking what the input is, returning an error or message
This is not, and I stress it - not - a good enough security measure. All things coming from a user-controllable source (this is "input" if you still insist on definitions) should be filtered with a filter apropriate for the function they will be passed to.
Before putting it into a mysql database, we filter it with mysql_real_escape_string()
Before printing it to the user we will filter it with htmlentities()
This is what you called later in that sentence "stripping data". Validation and filtering have different purposes and should be thought of and implemented separately. I will repeat: Filter if you want to be secure, validate if you want to be nice.