## Chapter 23: Security basics (the stuff that saves you from painful bugs) Goal of this chapter: learn the few security habits that prevent 80% of beginner mistakes. If you remember only these, you’re already ahead: 1) Treat all input as untrusted `$_GET`, `$_POST`, JSON body, headers — all can be faked. 2) Escape output based on where it goes - HTML: `htmlspecialchars(...)` - SQL: use prepared statements (PDO) 3) Validate on server, even if you validate on frontend Frontend validation is user experience. Server validation is security. 4) Don’t expose errors in production In production you log errors; you don’t print them to users. --- ### Deployment basics (what actually runs PHP on hosting) On a real server, PHP usually runs in one of these common setups: - Apache + PHP (mod_php): Apache directly runs PHP files. - Nginx + PHP-FPM: Nginx handles HTTP, PHP-FPM runs PHP, they talk to each other. Your app usually has a “public web root” folder (often named `public/`). Only that folder is exposed to the internet. Everything else (config, classes, database files) stays outside public. If you remember one simple rule for hosting: keep private files out of the public folder. ---