1. Prevent SQL injection and JS Script Injection in HTML
Principle: do not trust the value submitted by the client. It can be used only after security processing. For example:
$ Variable = $ _ post ['user _ input'];
$ Variable = mysql_real_escape_string ($ variable );
$ Variable = stripslashes ($ variable );
$ Variable = htmlentities ($ variable); // For example, <B> Hi </B> is converted to <B & gt; Hi & lt;/B & gt
$ Variable = strip_tags ($ variable); // You can also remove HTML tags.
The common practice is:
Function sanitizestring ($ var)
{
$ Var = stripslashes ($ var );
$ Var = htmlentities ($ var );
$ Var = strip_tags ($ var );
Return $ var;
}
Function sanitizemysql ($ var)
{
$ Var = mysql_real_escape_string ($ var );
$ Var = sanitizestring ($ var );
Return $ var;
}
3. Prevent MD5 password brute-force attacks
After many website databases are cracked, the MD5 value stored in the database will be used as a brute force attack to guess the passwords of other websites. Therefore, we need to construct the MD5 value different from that of other websites, even if the same user uses the same password, the MD5 value here must be different from the one stored on other websites. In this case, the salting technology can be used, for example:
Make salt = "He $ & * sdf123" passmd5 = MD5 ("$ salt". "$ password ");