You don't need big protection for a RO server: there's no gain for potential hackers so you can just expect to be attacked only from unhappy users, which 99,9% won't know how to bypass basic security measures:
You only need to be concerned about SQL injections (any level) and basic XSS attacks. What's the best thing you can do out there? Sanitize any user input and you're good to go: ensure you got what you expected when the form is sent and you needn't to worry about anything else. Just be paranoid about any user input you get.
PHP already provides the tools you need: use
strlen() to ensure all string lengths (user name, password, mail) are in bounds (also check sex length for the account is 1), then use a whitelist of the chars you'd want to insert in your SQL database and check all strings meet that requirements. Here is an example of the character whitelist of Ceres CP (returns TRUE if there's any unallowed character on a string):
function inject($string) { $permitido = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890.@$&-_/§*°ºª"; // allowed characters for ($i=0; $i<strlen($string); $i++) { if (strpos($permitido, substr($string, $i, 1)) === FALSE) return TRUE; } return FALSE;}
You could also sanitize the vars for inserting them into the DB by using functions like
mysql_real_escape_string. You should be good to go with the above function, though.
Hope I helped.