Web application security

Security is a process, not a product, and adopting a sound approach to security during the process of application development will allow you to produce tighter, more robust code. https://www.sitepoint.com/php-security-blunders/

Good articles about PHP web application security:

SQL Injection vulnerabilities

Database tools{target="_blank"} are all

Good Articles about SQL injection:

Cross-site request forgery protection

Good Articles about CRSF:

Framework introduces a simple instantiable class CRSFToken for CRSF token generation. This class requires running PHP session in order for it to work.

  • An Example of Token used in a HTML form
    1. <?php
    2.  
    3. namespace Sphp\Security;
    4.  
    5. $token = new CRSFToken();
    6. $value = $token->generateToken('csrf_token');
    7. ?>
    8. <form>
    9. ...
    10. <input type="hidden" name="csrf_token" value="<?php echo $value; ?>">
    11. ...
    12. </form>
    13.  
    Highlighted with GeSHi 1.0.9.1
  • Execution result as highlighted code
    1.     ...
    2.  
    3.     <input type="hidden" name="csrf_token" value="86e3dc54-ad33-5bf0-8acd-380826a54549">
    4.     ...
    5.  
    6. </form>
    Highlighted with GeSHi 1.0.9.1
  1. Tokens are created by calling CRSFToken::generateToken().
  2. Tokens can be verified by:

Managing user Passwords with Password

PasswordInterface defines a verifiable password. It is implemented in an instantiable class Password.

  • PHP code
    1. <?php
    2.  
    3. namespace Sphp\Security;
    4.  
    5. $password1 = Password::fromPassword('password');
    6. $hash1 = $password1->getHash();
    7. $password2 = Password::fromHash($hash1);
    8.  
    9.         $password1->verify('password'),
    10.         $password2->verify('password'));
    11.  
    Highlighted with GeSHi 1.0.9.1
  • Execution result as highlighted code
    1. bool(true)
    2. bool(true)
    3.  
    Highlighted with GeSHi 1.0.9.1

Input validation

Form Input validation{target="_blank"}

  • FORM input validation example
    1. <?php
    2.  
    3. namespace Sphp\Validators;
    4.  
    5. $validator = (new FormValidator())
    6.         ->setValidator("not_empty", new NotEmpty())
    7.         ->setValidator("url", new Url())
    8.         ->setValidator("num", new Regex("/^\d+$/", "Please insert numbers only"))
    9.         ->setValidator("p1", new Regex("/^[a-zA-Z]+$/", "Please insert alphabets only"))
    10.         ->setValidator("p2", new Regex("/^([a-zA-Z]){3}+$/", "Please insert exactly 3 alphabets"));
    11.  
    12. $correctData = [
    13.     "not_empty" => "foo",
    14.     "url" => 'https://www.google.com/',
    15.     'num' => '123',
    16.     'p1' => 'abcde',
    17.     "p2" => 'xyz'];
    18.  
    19. echo "Correct data:";
    20. var_dump($validator->isValid($correctData));
    21. print_r($validator->errors()->toArray());
    22.  
    23. $incorrectData = [
    24.     'num' => 'abc',
    25.     "url" => 'http://foo',
    26.     'p1' => '_err_',
    27.     'p2' => '_err_'];
    28.  
    29. echo "\nincorrect data:";
    30. var_dump($validator->isValid($incorrectData));
    31. print_r($validator->errors());
    32.  
    Highlighted with GeSHi 1.0.9.1
  • Execution result as highlighted code
    1. Correct data:bool(true)
    2. (
    3. )
    4.  
    5. incorrect data:bool(false)
    6. Sphp\Validators\ErrorMessages Object
    7. (
    8.     [errors:Sphp\Validators\ErrorMessages:private] => Array
    9.         (
    10.             [not_empty] => Sphp\Validators\ErrorMessages Object
    11.                 (
    12.                     [errors:Sphp\Validators\ErrorMessages:private] => Array
    13.                         (
    14.                             [0] => Value is empty
    15.                         )
    16.  
    17.                     [templates:Sphp\Validators\ErrorMessages:private] => Array
    18.                         (
    19.                         )
    20.  
    21.                 )
    22.  
    23.             [num] => Sphp\Validators\ErrorMessages Object
    24.                 (
    25.                     [errors:Sphp\Validators\ErrorMessages:private] => Array
    26.                         (
    27.                             [0] => Please insert numbers only
    28.                         )
    29.  
    30.                     [templates:Sphp\Validators\ErrorMessages:private] => Array
    31.                         (
    32.                         )
    33.  
    34.                 )
    35.  
    36.             [p1] => Sphp\Validators\ErrorMessages Object
    37.                 (
    38.                     [errors:Sphp\Validators\ErrorMessages:private] => Array
    39.                         (
    40.                             [0] => Please insert alphabets only
    41.                         )
    42.  
    43.                     [templates:Sphp\Validators\ErrorMessages:private] => Array
    44.                         (
    45.                         )
    46.  
    47.                 )
    48.  
    49.             [p2] => Sphp\Validators\ErrorMessages Object
    50.                 (
    51.                     [errors:Sphp\Validators\ErrorMessages:private] => Array
    52.                         (
    53.                             [0] => Please insert exactly 3 alphabets
    54.                         )
    55.  
    56.                     [templates:Sphp\Validators\ErrorMessages:private] => Array
    57.                         (
    58.                         )
    59.  
    60.                 )
    61.  
    62.         )
    63.  
    64.     [templates:Sphp\Validators\ErrorMessages:private] => Array
    65.         (
    66.             [_invalid_] => Invalid form data
    67.             [_invalid.form.data_] => Value of %s type given. An array expected
    68.         )
    69.  
    70. )
    71.  
    Highlighted with GeSHi 1.0.9.1