I cannot post links to them, but there are tons of resources out there discussing the vulnerabilities of PHP_SELF. They're easy to find. Use a hard coded value, or create a constant, or a variable whatever.
By validation, I am presuming you mean fields not empty, correct formats for stuff - these are fairly simple but will go on a case by case basis. The validation for an email field is very different than a plain text field. It's going to vary geographically too.
as for validation in respect to security, there's security discussions all over this site. There is no one off "do this and you'll be safe." The truth is, you can do everything everyone suggests and still get hacked, if they are determined enough.
But you can decrease the odds, a lot. It's more of a philosophy than anything else.
- Every user input is a potential hack. This quote by Selena Sol really describes the problem, and leads to best choices. Treat any request - to a form or NOT - as the poison it is.
- Throw anything you don't expect away, examine everything you want to keep like it were dating your daughter. Or son. The most simple example - and least cleansed - is this.
script.php?record_id=1234
If you're expecting a number, this simple code makes sure it is.
if (isset($_GET['record_id']) and ($_GET['record_id'] > 0)) {
// we're okay.
}
else { die("Invalid input supplied"; }
Why not use is_numeric? In most cases, you will never query 0 for your database, and zero passes is_numeric. Any attempt to abuse this input with **anything** but a number will fail. Text will always evaluate to zero.
The second best thing I can suggest, make logging input a requirement, not a vague thought in your wish list. If you start getting attacked, the information to be gleaned from a simple log that logs raw input to your site is going to be gold in figuring out what they are up to, and how to stop them. This is going to be vastly different than what you get from access logs, and a lot more specific and intelligible. Choose a private location off the domain root, log all input to a file there, and check it as often as you have time for.
There are many many more, as mentioned, it's going to depend on what you're doing. Sometimes you will want to allow html; you'll need to define what IS valid HTML for use on your site and in your database, and what is not, and compare input against your definitions. Sometimes you won't, so you can kill anything that come close to an HTML tag. Sometimes you'll want to allow special characters, sometimes you won't.
Use all the tools PHP provides you, but it's not always enough. Every time you look at input, stop and think: can I make sure what comes in here is only what I need, and some unknown input can't get past it?
