If there is one thing I’ve learned since developing websites and applications, it’s the importance of validating user input. Don’t trust for one second what your user is sending you. Anytime a user is asked for input, whether it be their name, email address or an uploaded image, this must be filtered to:

1. Check it is actually from who it’s supposed to be
2. Make sure it contains the information you want and is structured correctly

Data must never be changed to accommodate mistakes, always tell the user if they have done something incorrectly. Make them play by your rules. Changing incorrect user data can create vulnerabilities.

Once data has be validated, it must be escaped before being inserted into a database. The safest way to make sure data is clean is to set-up a new array() and then put the data through htmlentities() and mysql_real_escape_string().

So never trust your users. Always treat data input as invalid until you can prove otherwise. It sounds harsh, but it’s the only safe way to protect you, your data and your customers.