Going from a framework to no-framework [closed]

by

Current versions of PHP5 include much of the security framework you’re looking for as part of the standard library.

  • Use filter_input_array to declaratively sanitize stuff coming in from the outside.
  • Access your database via PDO with parameterized SQL to prevent SQL injection attacks.
  • Use the following PHP settings to make your site more resistant to session fixation and cookie theft:
    • session.use_only_cookies (Prevents your session token from leaking into the URL)
    • session.cookie_httponly or the httponly attribute to session_set_cookie_params() (Protects against scripts reading the session cookie in compatible browsers)
    • More suggestions and PHP example code available on Wikipedia.
    • You can also use the httponly attribute with setcookie().
  • Nothing fancier than basic templating and header-setting is required for new HTTP and HTML5 features:
    • HTTP Strict Transport Security (Helps protect against WiFi exploits.)
    • X-Frame-Options (Restrict embedding of your pages. Good against phishing.)
    • HTML5 IFrame Sandbox Attribute (Sandbox 3rd-party ads/badges/videos. Already in WebKit. Likely to be at least partially implemented in Firefox 11.)
    • Content Security Policy (Firefox 4’s new security framework, complimentary to the sandbox attribute. Now also being implemented in Chrome.)

If you’re accepting HTML as input, I recommend grabbing HTML Purifier and calling it via a FILTER_CALLBACK line in your filter_input_array setup. Its whitelist-based approach to input security makes a great (and very powerful) first line of defense against XSS.

As far as I can tell, PHP doesn’t come with a mechanism for protecting against cross-site request forgery, but I’m sure Google can help you with that one. The OWASP Security Cheatsheets include a section on it if you want to implement your own protection.

Out of curiosity, I decided to also start looking at standalone components and here’s what I’ve found so far:

Templating:

  • PHP Template Inheritance (Regular PHP plus template inheritance)
  • TWIG (Django/Jinja2/Liquid-style syntax including autoescape and sandboxing. Compiles to cached PHP for speed.)
  • Dwoo (A faster, more featureful, PHP5-ish successor to Smarty. Includes a compatibility system for existing Smarty templates.)

Stuff I still haven’t looked into properly:

  • Route dispatching (Only found RouteMap and Net_URL_Mapper so far. Thanks, cweiske.)
  • ORM (Just in case bare PDO isn’t your thing)

Leave a Comment

Hata!: SQLSTATE[HY000] [1045] Access denied for user 'divattrend_liink'@'localhost' (using password: YES)