I'm about to go live with my first "major" PHP script that is database-driven. It has a PHP/MySQL backend and does gather some sensitive data, such as names and addresses. Obviously, this is the type of thing you'd like to keep private! ;)

I've tried hacking the script myself by entering bogus and potentially-malicious data into the form fields, and so far it seems pretty safe. I've been unable to execute any PHP code through the form, and though the query strings do play an important role in the operation of the script, I've managed to keep things secure enough that I can't get to anything I shouldn't have access to by changing the query strings around and otherwise messing with them.

My biggest fear comes from MySQL injection attacks. I've heard that these are some of the most difficult attacks to guard against, and I don't mind telling you that I'm a bit afraid that I don't know enough to protect against them. So I'm wondering what some "best practices" would be to help prevent this devious type of attack.

In addition to ways to prevent MySQL injection attacks, I'll welcome advice on how to try to hack my own application - if I can't hack it myself, even knowing how it works, then surely it should be safe from outsiders. (Although most hackers are way smarter than I am . . . )

So what should I do to make sure I'm secure? I'm open to any and all suggestions!

Thanks in advance,

Matthew