As a security-conscious developer, one of the most important things is to keep track of your data at all times. Not just to know what it is and where it is, but also to know where it comes from and where it is going. Sometimes it's difficult to do this, especially if you don't have a deep understanding of how the web works. This is why some developers, although experienced in other development environments, often make mistakes and create security vulnerabilities when they are not experienced in the Web.
When most people read EMAIL, they generally do not get the title "Re: Hello" and other spam emails because they know that the subject that looks like a reply can be forged. Therefore, this email is not necessarily a reply to the previous email with the subject "Hello." In short, people know not to put too much trust in this topic, but few people realize that the sender address can be spoofed, and they mistakenly believe that it can reliably reveal the origin of the email.
The Web is very similar. One of the things I want to teach you is how to distinguish between trusted and untrusted data. Doing this is often not easy, and blind guessing is not the answer.PHP uses super global arrays such as $_GET, $_POST, and $_COOKIE clearly indicate the source of user data. A strict naming system can ensure that you know the source of all data in any part of the program code, which is what I have always demonstrated and emphasized.
It is extremely important to know where data enters your program, and it is also important to know where data leaves your program. For example, when you use the echo command, you are sending data to the client; when you use mysql_query, you are sending data to the MySQL database (although your purpose may be to retrieve data).
When I audit PHP code for security vulnerabilities, I mainly check the parts of the code that interact with external systems. This part of the code is likely to contain security vulnerabilities, so special attention must be paid during development and code inspection.
The above is the content of PHP security-tracking data. For more related content, please pay attention to the PHP Chinese website (m.sbmmt.com)!
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
