First, I recommend that you use the filter calls to check and test all GET/POST parameters.
See
http://www.php.net/manual/en/book.filter.php for details.
Second, quoting SQL queries and results can be a bit of a nightmare. I strongly recommend
that you consider using prepared statements and bind PHP variables to your query parameters.
If you do this consistently, you won't have to worry about SQL injection. The process is made
easier by using the PDO object-oriented MySQL interface, see
http://www.php.net/manual/en/book.pdo.phpFinally, I recommend that all your website forms use a special "nonce" field to prevent
replay attacks on your forms. (In particular, if you have a contact page with a simple
message form, this can and almost certainly will be hammered by maling robots.) The technique
here is to set up a "hidden" text input field with a unique value - one which changes every
time the form is served. If, when the form is submitted, the nonce value is not the expected
value, don't action the submit any further! To generate unique values for the nonce field,
maintain an integer value in the session data; initialize it with zero and every time your
script serves a new form, increment it by a random amount, then use the resulting value as
the value of the hidden nonce field.
The advice is not to use URLs to carry the session ID. Instead, use cookies. In your php.ini,
set
session.use_cookies = 1
session.use_only_cookies = 1
(I think these may now be the default settings, but it is worth checking.)
