My first steps in the marvellous world of PHP/MYSQL :D

[combatking0]

Would the use of session variables be reccomended as an extra security measure in this case - if the form was submitted from another site, the session variable would not be set, or would be invalid - in theory.

[Shockwave]

The session could be checked as an extra measure, good idea. What would stop a user being logged in though and still running an XSS attack?

[combatking0]

You could check the value of $_SERVER['HTTP_REFERER'] to see where the last url the browser was on, and see if the form came from your domain or not.

However, some browsers do not submit this information, and it may also be possible to "spoof" this value using a customised/hacked browser.

[Shockwave]

The message has to be that some programmers will obviously make some compromises sometimes for practicallities sake, even the most conservative programmers will make some security conscessions on occasion, it is just a matter of closing the most obvious loopholes and doing the best job that practicallity allows.

Personally I do not trust form data, my scripts convert variables to their expected type, tags are stripped and data is made safe for queries using either prepared statements or mysqlirealescape string.

If you do those things then you should be safe in most cases unless someone was really determined.

[combatking0]

I've certainly learned some new tricks though.

I'll have to re-program the shop sites I made to include the newly learned features.