# Security

Security is essential for any web application. PHPFast comes with built-in features to protect your application from common threats. This section will explain these security tools and show you how to use them effectively.

## Data Sanitization

Data sanitization is the process of cleaning and filtering input data to prevent the execution of malicious code, such as Cross-Site Scripting (XSS) or SQL Injection, within your application. PHPFast provides a built-in helper to sanitize data in HTTP requests, enhancing security and protecting against common vulnerabilities.

**Using `Security.php` Libraries**

The `Security_helper.php` library offers essential functions for sanitizing and validating user input to enhance application security. Some key functions include:

`xss_clean` – Removes potential XSS (Cross-Site Scripting) threats.\
`clean_input` – Filters out harmful code from input data.\
`uri_security` – Ensures secure handling of URI parameters.\
`url_slug` – Converts text into a URL-friendly format.\
`redirect` – Safely redirects users to specified locations.\
`base_url` – Generates a secure base URL for links.

1. Load the helper in your controller:

   ```php
   // Sanitize user input
   $clean_input = clean_input($input_data);
   ```
2. The `clean_input` function will automatically strip out potentially harmful code from the input data, making it safer to use within your application.

## Cross-Site Request Forgery (CSRF) Protection

PHPFast comes with built-in CSRF protection, preventing unauthorized commands from being executed through authenticated sessions. The framework automatically generates and verifies CSRF tokens for form submissions, ensuring secure user interactions.

To enable **CSRF protection**, follow these steps:

1. Open the `config.php` file located in the `application/Config` directory.
2. Add or update the security settings to include CSRF protection

```php
'security' => [
    'csrf_protection'  => true,               // Enable CSRF protection
    'csrf_token_name'  => 'csrf_token',       // Name of the CSRF token
    'csrf_header_name' => 'X-CSRF-TOKEN',     // CSRF token header for AJAX requests
    'csrf_expiration'  => 7200,               // Token validity period in seconds
],
```

## Password Hashing

```php
public static function hashPassword($password) {
    return password_hash($password, PASSWORD_BCRYPT);
}

// Example
$hashed_password = Security::hashPassword($user_password); 

//----------------------------------------------------------------------------------
public static function verifyPassword($password, $hashedPassword) {
    return password_verify($password, $hashedPassword);
}

// Example
if (Security::verifyPassword($input_password, $hashed_password_from_db)) {
    // Password is correct
} else {
    // Invalid password
}
```

{% hint style="info" %}
Note

* **Sanitize User Input** – Always clean and validate user input using helper functions to prevent XSS (Cross-Site Scripting) and SQL injection attacks.
* **Enforce HTTPS** – Ensure your application operates over HTTPS to encrypt data in transit, protecting sensitive information from interception.
* **Secure Cookies** – Set the HttpOnly and Secure flags on cookies to prevent unauthorized access and protect against session hijacking.
* **Restrict File Uploads** – Implement strict validation for uploaded files to prevent the risk of executing malicious scripts on your server.
* **Keep Your Framework Updated** – Regularly update PHP-Fast to the latest version to apply security patches.
  {% endhint %}