And, you can add to this > Never trust data from the client...always filter it(I use an lib to do that)! > Make sure register_globals is off or code accordingly.
Make sure that you're using SSL (https). Also, (maybe not directly related though...) if possible, separate your web server from your database server. And also, you might want to create different database users for different purposes (i.e. one user can ONLY select, another ONLY for updating, etc.). You can even forget about a user that can delete data--you can always do it yourself offline or at least not via the web server. HTH, - E -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
