# Security Security is essential for any web application. PHPFast comes with built-in features to protect your application from common threats. This section will explain these security tools and show you how to use them effectively. ## Data Sanitization Data sanitization is the process of cleaning and filtering input data to prevent the execution of malicious code, such as Cross-Site Scripting (XSS) or SQL Injection, within your application. PHPFast provides a built-in helper to sanitize data in HTTP requests, enhancing security and protecting against common vulnerabilities. **Using `Security.php` Libraries** The `Security_helper.php` library offers essential functions for sanitizing and validating user input to enhance application security. Some key functions include: `xss_clean` – Removes potential XSS (Cross-Site Scripting) threats.\ `clean_input` – Filters out harmful code from input data.\ `uri_security` – Ensures secure handling of URI parameters.\ `url_slug` – Converts text into a URL-friendly format.\ `redirect` – Safely redirects users to specified locations.\ `base_url` – Generates a secure base URL for links. 1. Load the helper in your controller: ```php // Sanitize user input $clean_input = clean_input($input_data); ``` 2. The `clean_input` function will automatically strip out potentially harmful code from the input data, making it safer to use within your application. ## Cross-Site Request Forgery (CSRF) Protection PHPFast comes with built-in CSRF protection, preventing unauthorized commands from being executed through authenticated sessions. The framework automatically generates and verifies CSRF tokens for form submissions, ensuring secure user interactions. To enable **CSRF protection**, follow these steps: 1. Open the `config.php` file located in the `application/Config` directory. 2. Add or update the security settings to include CSRF protection ```php 'security' => [ 'csrf_protection' => true, // Enable CSRF protection 'csrf_token_name' => 'csrf_token', // Name of the CSRF token 'csrf_header_name' => 'X-CSRF-TOKEN', // CSRF token header for AJAX requests 'csrf_expiration' => 7200, // Token validity period in seconds ], ``` ## Password Hashing ```php public static function hashPassword($password) { return password_hash($password, PASSWORD_BCRYPT); } // Example $hashed_password = Security::hashPassword($user_password); //---------------------------------------------------------------------------------- public static function verifyPassword($password, $hashedPassword) { return password_verify($password, $hashedPassword); } // Example if (Security::verifyPassword($input_password, $hashed_password_from_db)) { // Password is correct } else { // Invalid password } ``` {% hint style="info" %} Note * **Sanitize User Input** – Always clean and validate user input using helper functions to prevent XSS (Cross-Site Scripting) and SQL injection attacks. * **Enforce HTTPS** – Ensure your application operates over HTTPS to encrypt data in transit, protecting sensitive information from interception. * **Secure Cookies** – Set the HttpOnly and Secure flags on cookies to prevent unauthorized access and protect against session hijacking. * **Restrict File Uploads** – Implement strict validation for uploaded files to prevent the risk of executing malicious scripts on your server. * **Keep Your Framework Updated** – Regularly update PHP-Fast to the latest version to apply security patches. {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.cmsfullform.com/documents/libraries/security.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.