// 易受攻击的查询
$sql = "SELECT * FROM users WHERE username='$username'";

// 参数化查询
$stmt = $db->prepare("SELECT * FROM users WHERE username=?");
$stmt->bind_param("s", $username);

// 使用HTML特殊字符转义
$safe_input = htm<a style='color:#f60; text-decoration:underline;' href="https://www.php.cn/zt/79544.html" target="_blank">lsp</a>ecialchars($input);

// 使用正则表达式验证电子邮件
$email_regex = '/^[a-zA-Z0-9._% -] @[a-zA-Z0-9.-] \.[a-zA-Z]{2,4}$/';

// 设置CSRF令牌
$token = $_SESSION['csrf_token'] = bin2hex(random_bytes(32));

// 表格中包含令牌
<input type="hidden" name="csrf_token" value="<?= $token ?= $token ?>">

// 启动会话
session_start();

// 设置用户ID
$_SESSION['user_id'] = 123;

// 检查用户是否已登录
if (!isset($_SESSION['user_id'])) {
  header('Location: login.php');
  exit;
}

// 安全查询
$stmt = $db->prepare("SELECT * FROM users WHERE username=?");
$stmt->bind_param("s", $username);
$stmt->execute();