It is impossible to predict new hack attempts.  Therefore it makes sense to take some precautions which are a bit more vague than htmlspecialchars but which might catch some hack attempts.

Text and numbers in forms, URLs and cookies

If you ask for a name you do not really expect it to be 5000 characters long. If you ask for an age anything over 150 years is unlikely.  If you ask what sex they are then the answer will be one of a limited number.  You can use if statements or switch statements to ignore anything else.

Create a new page which has a form with two text input fields (firstname and age) and save it as validation.html.  Make the action validationprocess.php.

Now create validationprocess.php by adding this which will filter any numbers by checking that they are in a believable range (of course things might change as people live longer):


if ($age>150 || $age <1) {
    echo "invalid age entered";
} else {
    // code to do something goes here

Try the form with different ages - believable and not.

Add this code which will look for excessively long strings which might contain code rather than genuine data:


if (strlen($firstname)>30) {
    echo "That name is too long";
} else {
    // code to do something goes here

Try it with something longer than 30 characters.

On any real form consider whether you could add some filters appropriate to the data you are expecting.

Uploaded files

If you allow users to upload files using PHP then make sure they are a reasonable size as previously explained. If they are only supposed to upload images then restrict the file upload to files of that type.  Keep the images apart from your other files and if you have control of the server make sure they are scanned for viruses, scripts and spyware.

Remember also that file names may also be displayed.  So if a user names a file with dangerous code in it that code might run.  So sanitise the file names just like any other form data.