I am close to launching a website that i have been working on for some time now and i plan on carrying out a significant review of security .
I understand that one of the biggest areas of concern from a security point of view is how you handle user input (fields / forms etc.)
I don't expect anyone to reply with tonnes of information on each, as the internet is full of help and advice BUT the one downside of the internet is 'how up to date' the information is (don't want to use / implement out dated practices) or the 'integrity' of the advice, especially in relation to this subject'.
So what are your key best practices for each of the following:
1 - Validating Input
2 - Sanitizing Input
Thanks in advance for your help...
Validation rules depend on what's being validated, but in general:
* Numbers must be numbers - probably positive integers too
* Numbers in a range must be within the range
* Items chosen from a list must exist in that list
* Strings may be arbitrary but (max) length may matter
Sanitizing should be strictly a matter of making sure the value is only data and never syntax. Like a string in SQL is always just a string, or output in HTML is only text and never markup.
If you decide to make the wrong (IMO) decision and alter user input, like with strip_tags(), then that's kinda part of sanitizing too.
I think you're on the wrong track. You cannot "sanitize" input in the sense of applying some functions and checks on the user input, and then it's safe. Do not even attempt that. The PHP developers tried it with the infamous "magic quotes", and we all know how "well" this works (not at all).
Security comes from understanding the risks and escaping mechanisms of each context. It's also important to prevent mistakes. If you hand-pick the "dangerous" data and escape it manually, there's a gigantic risk of getting it wrong sometimes. Instead, escape all data, maybe even automatically. For example, many template engines already apply HTML escaping to all input. Common database libraries also have the escaping built-in.
Validating form input is great for notifying the user of typos or something. But it's not suitable as a security measure.