What I've learn in such a short time programming in php and that it seems to be a good consideration is

• Never ever trust the user: Always validate user input
• Work with register_globals = off

Everyone always writes : "Turn those registered globals off" !
But why? Registered globals are great! Ok, you have a major manipulation problem, but do you really pass on every tiny piece of information through a form (or session ?)?

How do other people pass on information without using registered globals?

Check this code:

<?php
session_start();

if ($username == 'kevin' and $password == 'secret')
{
$authorized = true;
session_register('authorized');
}
?>

<?php

if (!$authorized)

{
//Display HTML Form prompting user to log in
}
else
{
//Super-secret HTML content goes here
}
?>

With register globals on, If the users writes in the URL ?authorized=1 security is bypassed because of the global scope of $authorized.

As fo register_globals OFF this can't be done, you would then have this code:

<?php
session_start();

if ($POST['username'] == 'kevin' and
$POST['password'] == 'secret')
{
$_SESSION['authorized'] = true;
}
?>

<?php
if ( !$_SESSION['authorized'] )
{
//Display HTML Form prompting user to log in
}
else
{
//Super-secret HTML content goes here
}
?>

This way your security hole is gone, using register_globals off!

A common mistake is to name your include files with some extension like .inc or .class, etc....

This is not a good practice. Any one can then view your entire code. They just have to type in an url like

http://www.mysite.com/includes/myfunctions.inc

and they will have your script rigth in front of your eyes!!!

So, always name your files with .php extension.