<?php
// ✅ 正确：使用 password_hash
$hash = password_hash('mysecretpassword', PASSWORD_DEFAULT);
echo $hash;
// $2y$10$...（bcrypt 哈希）

// ✅ 正确：验证密码
if (password_verify('mysecretpassword', $hash)) {
    echo '密码正确';
}

// 需要重新哈希（算法升级时）
if (password_needs_rehash($hash, PASSWORD_DEFAULT)) {
    $newHash = password_hash('mysecretpassword', PASSWORD_DEFAULT);
    // 更新数据库
}

// ❌ 错误：永远不要这样做
// md5($password)
// sha1($password)
// hash('sha256', $password)

<?php
// 输出转义
echo htmlspecialchars($userInput, ENT_QUOTES, 'UTF-8');

// HTMLPurifier（富文本过滤）
// composer require ezyang/htmlpurifier
$config = HTMLPurifier_Config::createDefault();
$purifier = new HTMLPurifier($config);
$cleanHtml = $purifier->purify($dirtyHtml);

// CSP 头
header("Content-Security-Policy: default-src 'self'; script-src 'self'");

<?php
class CSRFProtection
{
    public static function generateToken(): string
    {
        $token = bin2hex(random_bytes(32));
        $_SESSION['csrf_token'] = $token;
        return $token;
    }

    public static function validateToken(?string $token): bool
    {
        if ($token === null || !isset($_SESSION['csrf_token'])) {
            return false;
        }
        return hash_equals($_SESSION['csrf_token'], $token);
    }

    public static function field(): string
    {
        $token = self::generateToken();
        return '<input type="hidden" name="_token" value="' . htmlspecialchars($token) . '">';
    }
}

<?php
// ✅ 正确：使用预处理语句
$stmt = $pdo->prepare('SELECT * FROM users WHERE email = ?');
$stmt->execute([$email]);

// ✅ 正确：命名参数
$stmt = $pdo->prepare('SELECT * FROM users WHERE email = :email');
$stmt->execute(['email' => $email]);

// ❌ 错误：字符串拼接
// $sql = "SELECT * FROM users WHERE email = '$email'";

<?php
declare(strict_types=1);

class InputValidator
{
    public static function validate(array $data, array $rules): array
    {
        $errors = [];

        foreach ($rules as $field => $rule) {
            $value = $data[$field] ?? null;
            $ruleList = explode('|', $rule);

            foreach ($ruleList as $r) {
                match (true) {
                    $r === 'required' && ($value === null || $value === '') =>
                        $errors[$field][] = "{$field} 是必填字段",
                    str_starts_with($r, 'min:') => self::validateMin($field, $value, $r, $errors),
                    str_starts_with($r, 'max:') => self::validateMax($field, $value, $r, $errors),
                    $r === 'email' && $value !== null && !filter_var($value, FILTER_VALIDATE_EMAIL) =>
                        $errors[$field][] = "{$field} 必须是有效的邮箱",
                    $r === 'numeric' && $value !== null && !is_numeric($value) =>
                        $errors[$field][] = "{$field} 必须是数字",
                    $r === 'url' && $value !== null && !filter_var($value, FILTER_VALIDATE_URL) =>
                        $errors[$field][] = "{$field} 必须是有效的 URL",
                    default => null,
                };
            }
        }

        return $errors;
    }

    private static function validateMin(string $field, mixed $value, string $rule, array &$errors): void
    {
        $min = (int) substr($rule, 4);
        if (is_string($value) && mb_strlen($value) < $min) {
            $errors[$field][] = "{$field} 至少 {$min} 个字符";
        }
    }

    private static function validateMax(string $field, mixed $value, string $rule, array &$errors): void
    {
        $max = (int) substr($rule, 4);
        if (is_string($value) && mb_strlen($value) > $max) {
            $errors[$field][] = "{$field} 最多 {$max} 个字符";
        }
    }
}

<?php
// AES-256-GCM 加密
function encrypt(string $data, string $key): string
{
    $iv = random_bytes(16);
    $tag = '';
    $encrypted = openssl_encrypt($data, 'aes-256-gcm', $key, OPENSSL_RAW_DATA, $iv, $tag);
    return base64_encode($iv . $tag . $encrypted);
}

function decrypt(string $encoded, string $key): string
{
    $decoded = base64_decode($encoded);
    $iv = substr($decoded, 0, 16);
    $tag = substr($decoded, 16, 16);
    $encrypted = substr($decoded, 32);
    return openssl_decrypt($encrypted, 'aes-256-gcm', $key, OPENSSL_RAW_DATA, $iv, $tag);
}