There are many different ways to secure your applications. The best thing for you to do right now is to read up on different security problems and how to avoid them. Start with the following link: [phpsec.org...]

Ok I read on the sql injections and the form one, but for the sql injections, it doesn't provide a way to protect against it, except put "" quotes around all your variables and stuff, and also include your login and password and stuff in a sepertate file in a seperate location. Is that all I can do?

If you are using mysql, you should be escaping those variables with mysql_real_escape_string [php.net] in order to prevent from SQL injection. Aside from just escaping input (and by input I mean ANYTHING that can be altered by the user, including the referrer, etc), you should also make sure that it contains what it is suppose to contain, and not anything else that you wouldn't want to allow.

Oh so liek for a name input field, only accept letters? And do you have to include other characters besides letters for an injection?

Injections come in a variety of different ways, so no, there aren't just comprised of letters, if that's what you mean. Escaping your input should be enough to prevent SQL injection, however validating the input is extra security so that you KNOW you will not get unexpected results somewhere in your application; it doesn't necessarily mean that it will occur with the database, but it could very well be somewhere else. You always just want to know what to expect in a variable, and that is why we check :)

By validating you mean that its a required field right? And also I found some videos on youtube abuot the commands to get past and stuff, and I tried it all on my site, but none of them worked. I made some changes.

>> By validating you mean that its a required field right?

Not exactly. First off, by validation I do not mean measures to prevent SQL injection, but general security measures that should be taken. But an example of making sure the input is validated (clean), is for instance say you are looking for an integer to be input in a form. You want to check to first see if this is indeed an integer, and if it is not prompt for it to be submitted again. And then once it is an integer, be safe and still escape it before using it in a query. The reason you want to validate it to make sure it is an integer, is so that you don't get unexpected results from functions, etc, when you think you have an integer but in reality, with the validation, you may have a string of other random characters that will cause your application to fail.

Yeah so should I make sure ONLY letters/numbers are included becuase I noticed to do an SQL injection they use the (') a few times, and the (-) and(=) sometimes. Would that be a good means of security, becuase Im not sure how to make it not be used in a query or w/e.

What you allow in the field is up to what you actually NEED to allow in the field. If you need to allow other characters other than alphanumerics then you can without any further security issues, as long as you escape the data correctly. Here is an example:

#connect to db server, select database...
$input = $_POST['input'];
#validate input...
$query = "SELECT * FROM `table` WHERE `field` = '".mysql_real_escape_string($input)."'";
#etc...

This should sufficiently protect you from SQL injection.

Oh so liek this?:

$query = "SELECT * FROM `mahtable` WHERE `name` = '".mysql_real_escape_string($input)."'";

and then input would be the name of the field?

yup

Ok but how do I make it for like a login field, becuase my login fields I dont think like connect to the database, it connects to my admin panel.