PDO – Prepared StatementsCopy
<?php
$dsn = "mysql:host={$host};port={$port};dbname={$db};charset=utf8mb4";
$options = [
PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
PDO::ATTR_EMULATE_PREPARES => false,
PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES utf8mb4"
];
$pdo = new PDO($dsn, $user, $pass, $options);
$sql = "SELECT cm_id, cm_name FROM customer WHERE comp_id = :comp_id AND cm_tel = :tel LIMIT 1";
$stmt = $pdo->prepare($sql);
$stmt->execute([':comp_id' => $compId, ':tel' => $cm_tel]);
$row = $stmt->fetch();
?>
XSS Safe Output – htmlspecialchars()
Copy
<?php
function e(string $s): string {
return htmlspecialchars($s, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8');
}
// usage
echo '<span>' . e($row['cm_name'] ?? '') . '</span>';
?>
CSRF Token for POST forms
Copy
<?php
session_start();
if (empty($_SESSION['csrf'])) { $_SESSION['csrf'] = bin2hex(random_bytes(32)); }
function csrf_input(): string {
return '<input type="hidden" name="csrf" value="' . $_SESSION['csrf'] . '" />';
}
function csrf_verify(): void {
if (($_POST['csrf'] ?? '') !== ($_SESSION['csrf'] ?? '')) {
http_response_code(403); exit('Invalid CSRF token');
}
}
// in form: echo csrf_input();
// in handler (POST only): csrf_verify();
?>
Secure Passwords – password_hash()
Copy
<?php
$hash = password_hash($plain, PASSWORD_DEFAULT, ['cost' => 12]);
if (password_verify($input, $hash)) {
// authenticated
}
?>
Simple Rate Limit (no Redis)
Copy
<?php
$bucket = sys_get_temp_dir() . '/ratelimit_' . md5($_SERVER['REMOTE_ADDR'] . $_SERVER['REQUEST_URI']);
$hits = (int)@file_get_contents($bucket);
$window = 60; $limit = 120; // 120 req/min
$now = time();
$state = @json_decode(@file_get_contents($bucket . '_meta'), true) ?: ['start' => $now];
if ($now - $state['start'] >= $window) { $state = ['start' => $now]; $hits = 0; }
$hits++;
if ($hits > $limit) { http_response_code(429); exit('Too Many Requests'); }
file_put_contents($bucket, (string)$hits); file_put_contents($bucket+'_meta', json_encode($state));
?>
Tip: เปิดใช้ HTTP security headers (HSTS, X‑Content‑Type‑Options, Referrer‑Policy) และตั้งค่า SameSite=Lax ให้ session cookie.
Tip: Enable HTTP security headers (HSTS, X‑Content‑Type‑Options, Referrer‑Policy) and set SameSite=Lax for session cookies.
