جلوگیری از ورود داده های غیر مجاز و مخرب Escaping Entities
9. Not Escaping Entities
Many times PHP programmers are too trusting with data, especially data generated by user. It's imperative to sanitize data before it goes into any sort of storage, like a database.
Source Rally shows us how to correctly escape entities in things like forms. Instead of using this:
کد PHP:
echo $_GET['username'];
You can validate the data by using htmlspecialchars() (or htmlentities()) like so:
کد PHP:
echo htmlspecialchars($_GET['username'], ENT_QUOTES);
در پست قبلی در این مورد توضیح دادم .