With CGI, you should be stripping out anything except what you're expecting.

For instance, I saw a popular email response form being used as a mass spam relay because the script allowed line feeds in the submitted address.

Sean

hear hear.
Over time you'll amass a collection of favourite functions that validate common types of data. A good knowledge of REGEX is very useful. Email addresses should look like email addresses, zip codes like zip codes. Anything that accepts HTML needs to be handled carefully.

Never let someone hijack your server for spamming - so be careful how you use the mail() function. Wherever possible, don't let people type in a destination address or pass anything to your mail() script via GET or with hidden form fields. (they may look hidden on the screen, but they're not hidden from savvy hackers)

If you're saving form data to a database, check your ini settings and experiment to see where & when you need stripslashes() and addslashes(). apostrophes and quotes can be troublesome if they are written as values in an HTML tag...

<input type='text' value='O'Reilly'>
<input type="text" value="Akbar "The Sheik" Faruk">

missing required fields can be easily detected with isset(), and is_array() does a good job catching an array of radio buttons.

A good strategy:
When you are validating your input, keep an array called $errors, and put the error messages in there as you find them. For instance, if the "email" field is invalid, do this:
$errors['email']="email address is invalid<BR>";

Then all you need to do is check that array:
if(count($errors)){
// show the form again
// and ask for corrections
}else{
// everything's OK.
// process the data!
}

Special cases will require special cleaning. I've validated Vehicle VINs, Nurse Registration numbers, credit cards numbers, Amazon ASIN#s, product SKUs, ISBNs, all of which have unique but identifiable patterns.

And then there are people who type "florda" as their state. You need to anticipate the third regimen of idiots and sloppy typers dumping utter garbage into your forms. It's exhausting... but not moreso than sifting through a database full of useless crap submitted by raving crackheads.

that's my $0.02

There is a saying: "It takes a thief, to catch a thief". Well it seems it "Takes a hacker, to catch a hacker" too. And that is a problem I obviously need to investigate further. I have no idea what I could add to a form field if it were my intention to cause damage, so I have no idea what I would need to remove either!

It seems to me that the only "safe" thing to do is remove absolutely everything except [as Sean says] what I am expecting to see - threat or no threat.

I like the $errors[] array idea, I will try and incorporate that.

Many thanks for the tips.

Spook

I have found it very useful to spend time reading the user contributed notes at php.net.

The reason being is that alot of them have great ideas on how to strip out Cross-Site-Scripting attacks (injecting malicious code into form submissions, etc.).

I generally approach this issue by making it so my forms will only accept ONE SINGLE type of input - sometimes I get so strict that a field will only accept the letters a-z with no spaces in between, or fields that are strictly numeric.

That way, I can use inbuilt functions like ctype_alpha and is_numeric to test the input.

Another advantage I get here is that it protects me from 98% of SQL injection attacks, since a good MYSQL injection attack requires the use of the equals sign and the space bar. If I can rob a hacker of those two characters I've made it nearly impossible for them to get a good hack.

I say NEARLY impossible because there are still other exploits.

A good rule of thumb is:
Don't trust ANY input from users - AT ALL. Be as paranoid as possible, because eventually SOME hacker will come along and they WILL spend weeks trying to figure out how to splatter your site's brains.

Other useful functions:

mysql_escape_string (mysql_real_escape_string on older PHP versions)
ctype_alpha
ctype_alnum
is_numeric
addslashes