Php web website development security

Php web website development security
Php is an easy-to-use and easy-to-use computer programming language. I didn't know much about php security at work, and I have written some programs: the data submitted at the front end is not escaped (html tags such as <and> are not converted into html entities). During the test, the user input content is displayed as html tag format, which is very embarrassing, shame is a trivial matter. What is important is that the security of the program is not guaranteed. I have read a very simple interview question in the past: http://www.phpstar.cn/?category=php To obtain the value of the category parameter. The question is very simple. I believe that php users can make category worthwhile. For example, $ _ GET ['category '] can be written by many people. In this way, the value cannot be obtained, it does not have to be processed securely. The following is an example of php security: 1. Use of include. <? Php include $ action. '. php';?> Among them, the $ action variable may come from the get method outside. It seems that there is no problem, but if $ action =' http://www.baidu.com/error ? So here we need to add a judgment: Does the file to be introduced exist? Php if (file_exists ($ action. '. php') {include $ action.'. php' ;}?> 2. Run xss across sites: for example, in a comment box, enter <script type = "text/javascript"> alert ('It blog! '); </Script> If the program does not directly display the information, think about what will happen? A pop-up window is displayed in front of the user's "IT blog !". 3. SQL Injection <? Php $ SQL = "SELECT * FROM user WHERE username = '{$ username}' AND passw = '{$ passw}'"; $ result = mysql_query ($ SQL);?> Assume that the value obtained by $ username is admin 'or '1 = 1, and $ passw is also like this: passw' or '1 = 1, and the preceding SQL statement becomes <? Php $ SQL = "SELECT * FROM user WHERE username = 'admin' or '1 = 1' AND passw = 'passw 'or '1 = 1 '"; $ result = mysql_query ($ SQL);?> The method to reduce such insecure programming is simple: intval is used to process the data transmitted from the user end, And htmlspecialhtmlspecialchars is used for the string.