[tommyflint]

hey guys i'm pretty new to php etc.. and was wondering if you could tell me what sort of security i need for my forum site?

cheers guys =]

[JBrace1990]

mysql_real_escape_string()
stripslashes()
addslashes()

those should be it

oh, and probably wanna replace % with \%

[mocker]

Are you building a new forum system in php, or are you using an existing software package? A full forum system is a pretty large project for someone new to php. If you need a forum I suggest using one of the mature opensource php ones available, and starting smaller for your learning projects.

If you are using an existing program, like wordpress, then this isnt a programming question at all, it is a system admin task. The software you are using probably has its own set of requirements for file permissions and whatnot so read its documentation. Keep in mind that any permissions it suggests for your files and directories are maximum permissions, do not give them more permissions than suggested, and do not give other files extra permissions that are not listed.

[Moonbat]

Use functions like htmlentities() and htmlspecialchars() to sanitize data to protect against XSS (Cross site scripting).

Use functions like mysql_real_escape_string() to protect against SQL injections.

As far as remote/local file inclusion (RFI and LFI respectively) you'll need to have safe coding practices, like if someone tries to include a page that doesn't exist on the server, redirect them to index.php, etc. Also, if you are using an old version of PHP, make sure Register Globals is set to off.

[pemcconnell]

also, if the value you are wanting to enter into your database is an integer, simply declare the data type as follows:

$value = (int)$_POST['formvalue'];

Where the (int) will force the value to be a number (will return as 0 if a string has been entered.