Script Security

Hi. I'm trying to ensure the security of my scripts as much as possible, as well as minimize error possibilities.

I'm using forms for people to enter data with, a MySQL database, and sessions.

I've got register_globals and magic_quotes turned off.

What would you recommend that I do?

Use a templating system such as Smarty, and have it automatically escape all fields output (unless you explicitly disable the modifier).

Use PDO prepared statements for all database queries, never just stick strings together.

These steps together will solve the two biggest problems.

But it won't protect against CSRF, that's trickier.

Mark