code Security and SQL injection prevention in PHP

At a time when all kinds of hackers are rampant, how to achieve their own PHP code security, to ensure that the program and the security of the server is a very important issue, I casually read the information about PHP security, not many, at least less than the ASP, hehe, so I want to write something to prevent these possible situations. There's not much technical content here, I just talked about it quite simply. (The following actions, if not specified, are based on the php+mysql+apache situation)

First of all, let's take a look at two articles:
Http://www.xfocus.net/articles/200107/227.html
Http://www.xfocus.net/articles/200107/228.html

The above article is security focus on the PHP security article, basically a more comprehensive introduction of some security issues about PHP.

In PHP coding, if you take into account some of the more basic security issues, first of all:
1. Initialize your variables

Why do you say that? Let's look at the following code:
if ($admin)
{
Echo ' landed successfully! '';
Include (' admin.php ');
}
Else
{
Echo ' You're not an admin, you can't manage! '';
}

OK, let's see the code above seems to be working properly, no problem, then join me to submit an illegal parameter to the past, then what will be the effect? For example, our page is http://www.traget.com/login.php, then we submit: Http://www.target.com/login.php?admin=1, hehe, you think some, we are not directly the administrator, Direct management.
Of course, we may not make such a simple mistake, then some very secret mistakes can also lead to this problem, such as the recent burst out of the Phpwind 1.3.6 Forum has a loophole, resulting in direct access to administrator rights, because there is a $skin variable initialization, resulting in a series of problems in the back.

So how do we avoid the above problems? First of all, starting from the php.ini, the php.ini inside the Register_global = off, is not all the registration variables for the overall, then you can avoid. However, we are not server administrators, can only be improved from the code, then how do we improve the above code? We rewrite the following:
$admin = 0; Initializing variables
if ($_post[' Admin_user '] && $_post[' Admin_pass '])
{
To determine if the Admin user name and password submitted are correct for the corresponding processing code
// ...
$admin = 1;
}
Else
{
$admin = 0;
}

if ($admin)
{
Echo ' landed successfully! '';
Include (' admin.php ');
}
Else
{
Echo ' You're not an admin, you can't manage! '';
}

Then you will not be able to submit the http://www.target.com/login.php?admin=1, because we initially put the variable into $admin = 0, then you can not get administrator rights through this vulnerability.


2. Prevent SQL injection (SQL injection)

SQL injection should be the most harmful to the current program, including the earliest from ASP to PHP, is basically the domestic two years of popular technology, the basic principle is through the submission of the variable does not filter the formation of injection points and then enable malicious users to submit some SQL query statements, resulting in the theft of important data, data loss or damage, or be hacked into backstage management.
The basic principle I do not say, we look at the following two articles is very clear:
Http://www.4ngel.net/article/36.htm
Http://www.4ngel.net/article/30.htm

So if we understand the basic way of injecting invasion, how can we guard against it? This is where we start with the code.

We know that there are two ways to submit data on the Web, one is get, one is post, so many of the most common SQL injections are started with a Get method, and the injected statement must contain some SQL statements, because there is no SQL statement, then how to do, the SQL statement has four sentences:
Select, Update, delete, insert, do we avoid these problems if we filter through the data we submit?