So I want to know some good, simple ways to protect my sites and the users of my sites. I have learned to use mysql_real_escape_string when putting anything into the database. With my username/passwords, I use sha1() hashes to store the passwords. Etc. etc. But I'm wondering if there are common security things that should always be done on a site that interacts with users. When I log my users in, I store the username and user_id in $_SESSION variables. Is that safe? I've heard about checking the session id as well. Is that completely necessary?
Please address concerns like these. Ready...set...GO!