OWASP Top 10 — security basics

The three most common enemies

1. SQL injection — ALWAYS use prepared statements, never concatenate input.

   $stmt = $db->prepare("SELECT * FROM users WHERE email = ?");
   $stmt->execute([$email]);

2. XSS (Cross-Site Scripting) — htmlspecialchars() everything from input before printing it.
3. CSRF — token in every POST form, verified server-side.

The other 7 to know

• Broken authentication, broken access control, security misconfiguration, sensitive data exposure, vulnerable dependencies, SSRF, insecure deserialization, insufficient logging.