I've written a simple forum, using DBI, HTML::Template and CGI::Session.

It wasn't intended to be a professional product, it was just for a small group of people who can all be trusted. But what if it goes live to a wider audience?

What would you do to harden that application against people who might URL-hack or otherwise try to exploit weaknesses?

To give one example: if I've made a post, I can edit it. The Edit Post URL is foo.com/edit/123. And that's fine because I wrote post 123. What if I change the URL to 122? Can I edit someone else's post? What if I use that URL to edit my own post 123 then change the hidden form field value to 122? Can I save post 123 into post 122?

Now, I'm quoting those because I've thought of them. And I can trivially code for them. If the user id != the user id who made the post, etc. But as they say, everyone is clever enough to invent a code that they can't break themselves...

(I should say by the way that my DBI database calls all use placeholders, no interpolation of variables, so I don't think I'm vulnerable to the Bobby Tables kind of problem. But tell me if that's not enough.)

What principles or procedures should I follow to identify and prevent that kind of exploit?