Paranoia has its place
WRONG!!!!! That innocuous little box is one of the worst thing that you could see on your site, especially if you have any form of membership, customers or database. If you see that then it means that you've just unlocked your door and left it wide open. It means that you've just failed misserably at the most basic rules of coding. NEVER TRUST INPUT and NEVER OUTPUT UNSANITISED INPUT
Now we all know, or we should all know, that you should never just shove information straight from $_GET/POST into a database ... hell, it's one of the quickest ways to unlock your database to the world, you might as well just put your connection details on your front page in <h1> tags. The very least you should do is escape the string, but that really isn't enough. Every single piece of data that your website uses should be verified against the type and contents that it allows. If you're asking for an ID make sure it's a number (sounds obvious, but you'd be amazed). Asking for a date? Either make sure she's hot or check the input is actually a date huh? A string? Only allow the characters you expect (and still escape it :|). However, you shouldn't just be doing this if you're going to shove the data into a database, you should always do it, even if you're only echoing the values to the screen
“ Yeah, but it only happens to crap coders who write shitty little websites that no one will use right? ” ..... urm, guess again ..... I spent the the last few days trawling round the web reading up on this and eventually ended up on this thread on sla.ckers.org which has a list full of some of the biggest names on the web, including several .gov websites! At the time the thread was 34 pages long and growing daily.
Now, the boys at b2evolution are pretty hot when it comes to sanitising input and output, but that only works if you use their functions ( param() is there for a reason ;) ) and if you code a plugin/hack that doesn't use them then you really need to make damn sure that you do your own checks/sanitisation. This is especially true if you're going to make your plugin a public release because then it's not just your blog that you've unlocked the door of, it's every blog that installs your plugin/hack.
If you want to read more about this then try some of the following links, there's a good deal of information about this and other security problems, including ways of blocking these holes :-
Full Disclosure - sla.ckers.org (highly recomended if you like horror stories)
PHP and Web Application Security - shiflett.org
Nitesh Dhanjani - dhanjani.com
PHP: Security - Manual - php.net
The moral of this story is very simple “ In God you trust ... just sanitise His input first ” ;)
If anyone from sla.ckers.org happens to read this post, I'd like to thank you for your full disclosure forum. It certainly was an eyeopener!