PHP code Security issues

1. The website generally has a unified entrance index.php, hidden site unified portal, URL rewrite

2.svn everyone gives different permissions

3. Anti-SQL injection workaround: Use precompiled statements, typically in SQL statements

In PHP, there are two modules for MySQL database, MySQL and mysqli,mysqli means MySQL improve. MySQL's improved version, this module contains the concept of "precompilation". Like the SQL statement above, change: SELECT * from admin where username= '? ' password= '? ', it is not an SQL statement, but can be mysqli by the pre-compilation function of the first to compile him into a stmt object, After the user enters the account password, the user input "data" is bound to the location of the two question marks with Stmt->bind_param. This allows the user to enter content that is "data" and not be "code

<?php
//user-entered data
$name = ' admin ';
$pass = ' 123456 ';
//Creates a new Mysqli object, and the constructor parameter contains the database-related content.
$conn = new Mysqli (Db_host, Db_user, Db_pass, db_name, Db_port);
//Set SQL statement default encoding
$this->mysqli->set_charset ("UTF8");
Create a SQL statement that uses a wildcard
$sql = ' SELECT user_id from admin WHERE username=? and password=?;
//Compile the statement to get a stmt object.
$stmt = $conn->prepare ($sql);
/******************** After the content can be reused, do not have to compile *************************/
//Bind data with Bind_param method
//You can see, Because I left two? That is, to bind two data to it, so the first parameter is the type of data bound (S=string,i=integer), the second argument is the data to be bound
$stmt->bind_param (' SS ', $name , $pass);
//Call the Bind_param method to bind the result (if you just check if the user and password exist, or just a DML statement, do not bind the result)
//The result is the field I select to bind several
$stmt Bind_result ($user _id);
//Execute the statement
$stmt->execute ();
Get the result
if ($stmt->fetch ()) {
 echo ' landed successfully ';
 //Be sure to release the resulting resource, or you will get an error later
  $stmt->free_result ();
 return $user _id; Returns the contents of the Select to
}else{echo ' login failed ';}
?

5. Restrictions on uploading file types

6. After verifying the verification code, clear the verification code in the session.

7. Modular management of the system

8. Hidden file extensions

PHP code Security issues