I am close to launching a website that i have been working on for some time now and i plan on carrying out a significant review of security .
I understand that one of the biggest areas of concern from a security point of view is how you handle user input (fields / forms etc.)
I don't expect anyone to reply with tonnes of information on each, as the internet is full of help and advice BUT the one downside of the internet is 'how up to date' the information is (don't want to use / implement out dated practices) or the 'integrity' of the advice, especially in relation to this subject'.
So what are your key best practices for each of the following:
1 - Validating Input
2 - Sanitizing Input
Thanks in advance for your help...
I'll add my .05 cents (It should be .02 cents...but inflation :D )
I say if you can try to keep everything modularized on your website as much possible, it would add to your security a lot. If you can keep all you html on one page, by that I mean you headers and footers (HTML) [they can be separate files] and then have you can have content in modules (you can even keep these files in a separate folder) it would keep you organized and offer up better security. Keep you sensitive data (login requirements, database information, etc...) in a separate file (like already mention) in a different folder that way you can even further protect it by giving that folder a unique name (Don't use names that people use for tutorials, for why would you want to aid the script kiddies :D ) and you could even further protect it with a .htaccess file in the future if you so desired. I write special functions that sanitize my user input and I use this motto, "When it doubt, Sanitize It!".
An lastly as someone has told me if you truly truly want it secure use Hypertext Transfer Protocol Secure (HTTPS); however, even that can be insecure - but you have to cut the cord sometime.;)