I would like some sugestions on how I can secure my very first guestbook.

As many of you are aware, I have set up my computer as a web server. This has made me more aware of security. Since then I have installed and configured PHP suport in my server. I have also been working on creating my own guestbook instead of relying on someone elses work.

The guestbook will be done with a combination of php, javascript and html, since I am new to php I cant do it all with PHP yet. Ok so here is the deal:

I have been made aware that html and SSI includes could be contructed in a guestbook entery such that it would execute a binary on the server, or delete files, ext...

To fix this I devised a plan. I will create a JavaScript form verifier that will look at each field and determine if the corect format of information has been entered. Once the JavaScript aproves of the form, it will be sent to my PHP script, which will then strip out any HTML, SSI or JavaScript from all the fields, format the whole thing as one string, store it in a file, and display it to the user.

I so far have got my php script to strip all HTML Javascript and any SSI from all fields, also my form verifier is now complete.

However I have a few more concerns that I would like your advice for and here they are:

First it was sugested to me that I use expose_php = off in my php.ini file, which I have done, to reduce information available to atackers, and to use a weird file extension for php MIME type:

AddType application/x-httpd-php .asp .py .pl

My question: Do you recomend changeing the default php extension, and are there any other security considerations I may be overlooking

I am aware that turning on php in my server is now a major security concern as now atackers can locate my php files, and try to exploit them. I am known to be a very sloppy programer periodicaly, you may call me a spagetti programer, althout I dont use any goto statements are anything like that. I dont want to do a sloppy job with my very first guestbook and end up with a dosen security holes.

Can you give me some sugestions on how I can make this guestbook secure. I am now thinking that useing a javascript form checker may have been a bad choice as people can download the source, modify the javascripot, and run it, and i will have know way of knowing my code has been modified, how can I prevent this?