PHP 错误处理：如何应对常见的安全漏洞

// 从用户输入中获取用户名和密码
$username = $_POST['username'];
$password = $_POST['password'];

// 连接到数据库
$db = new PDO('mysql:host=localhost;dbname=mydb', 'username', 'password');

// 使用预处理语句和参数绑定来执行 SQL 查询
$stmt = $db->prepare('SELECT * FROM users WHERE username = :username AND password = :password');
$stmt->bindValue(':username', $username);
$stmt->bindValue(':password', $password);
$stmt->execute();

// 获取查询结果
$user = $stmt->fetch();

// 如果查询结果为空，则表示用户名或密码错误
if (!$user) {
    echo "Invalid username or password.";
} else {
    echo "Welcome, " . $user['username'] . "!";
}

// 从用户输入中获取评论内容
$comment = $_POST['comment'];

// 对评论内容进行 HTML 特殊字符转义
$escapedComment = htmlspecialchars($comment);

// 保存评论到数据库
$db->query("INSERT INTO comments (content) VALUES ('$escapedComment')");

// 从上传的文件中获取相关信息
$fileName = $_FILES['file']['name'];
$fileSize = $_FILES['file']['size'];
$fileTmp = $_FILES['file']['tmp_name'];
$fileError = $_FILES['file']['error'];

// 检查文件类型和大小
$fileExt = pathinfo($fileName, PATHINFO_EXTENSION);
$allowedTypes = array('jpg', 'jpeg', 'png');
$maxSize = 1000000; // 1MB

if (!in_array($fileExt, $allowedTypes) || $fileSize > $maxSize) {
    echo "Invalid file type or size.";
} else {
    // 保存文件到指定目录
    move_uploaded_file($fileTmp, 'uploads/' . $fileName);
    echo "File uploaded successfully.";
}