Maybe I am nutts or excessive when it comes to security, but I've been noticing that no one else leaves traps and alarms when dealing with user input from the client. What I mean by traps is the below:
...
...
The first thing I check before validating input is this debugOn variable... if it's anything else besides "off", all of the input is serialized and logged with the offending client IP to a suspect log which is then checked every 10 minutes by a cron Job. If the suspectLogger cronjob counts more then 3 events against a IP, that addressed is blocked or redirected to a static html page.
Another good one is when I am passing ID via get/post from one page to the next. If on the next validation the record ID doesn't match the stored IP address and their domain isn't aol.com or doesn't have the word proxy in it somewhere, a suspect event is logged and they're redirected back to the originating form with a message saying there is a mismatch between their IP address and record number.
So far every idea I've come up with that I thought was original, someone thought of five years ago or has been unfeasible, so I wonder why no one else does this, it was pretty easy to setup.