Security

Security is essential for any web application. PHPFast comes with built-in features to protect your application from common threats. This section will explain these security tools and show you how to use them effectively.

Data Sanitization

Data sanitization is the process of cleaning and filtering input data to prevent the execution of malicious code, such as Cross-Site Scripting (XSS) or SQL Injection, within your application. PHPFast provides a built-in helper to sanitize data in HTTP requests, enhancing security and protecting against common vulnerabilities.

Using Security.php Libraries

The Security_helper.php library offers essential functions for sanitizing and validating user input to enhance application security. Some key functions include:

xss_clean – Removes potential XSS (Cross-Site Scripting) threats. clean_input – Filters out harmful code from input data. uri_security – Ensures secure handling of URI parameters. url_slug – Converts text into a URL-friendly format. redirect – Safely redirects users to specified locations. base_url – Generates a secure base URL for links.

  1. Load the helper in your controller:

    // Sanitize user input
$clean_input = clean_input($input_data);

  2. The clean_input function will automatically strip out potentially harmful code from the input data, making it safer to use within your application.

Cross-Site Request Forgery (CSRF) Protection

PHPFast comes with built-in CSRF protection, preventing unauthorized commands from being executed through authenticated sessions. The framework automatically generates and verifies CSRF tokens for form submissions, ensuring secure user interactions.

To enable CSRF protection, follow these steps:

  1. Open the config.php file located in the application/Config directory.

  2. Add or update the security settings to include CSRF protection

'security' => [
    'csrf_protection'  => true,               // Enable CSRF protection
    'csrf_token_name'  => 'csrf_token',       // Name of the CSRF token
    'csrf_header_name' => 'X-CSRF-TOKEN',     // CSRF token header for AJAX requests
    'csrf_expiration'  => 7200,               // Token validity period in seconds
],

Password Hashing

public static function hashPassword($password) {
    return password_hash($password, PASSWORD_BCRYPT);
}

// Example
$hashed_password = Security::hashPassword($user_password); 

//----------------------------------------------------------------------------------
public static function verifyPassword($password, $hashedPassword) {
    return password_verify($password, $hashedPassword);
}

// Example
if (Security::verifyPassword($input_password, $hashed_password_from_db)) {
    // Password is correct
} else {
    // Invalid password
}

Note

  • Sanitize User Input – Always clean and validate user input using helper functions to prevent XSS (Cross-Site Scripting) and SQL injection attacks.

  • Enforce HTTPS – Ensure your application operates over HTTPS to encrypt data in transit, protecting sensitive information from interception.

  • Secure Cookies – Set the HttpOnly and Secure flags on cookies to prevent unauthorized access and protect against session hijacking.

  • Restrict File Uploads – Implement strict validation for uploaded files to prevent the risk of executing malicious scripts on your server.

  • Keep Your Framework Updated – Regularly update PHP-Fast to the latest version to apply security patches.

PreviousRenderNextSession

Last updated

Was this helpful?