Originally posted here by ric-o
1) Validate all user input fields to protect against SQL injection and buffer overflows. Filter out stuff that could be used for SQL injection such as characters like ' " ( ). Check length and crop it off.
Actually this is the wrong way to do it. The proper way would be to filter on the stuff you want/need and drop everything else (just like a firewall; allow what you know and kill the rest). You won't be the first who has the "too many slashes" syndrome or got bitten by someone that uses a different characterset (especially with UTF-8/Unicode).