Protection from SQL injections

Before populateing values in SQL query (in a direct database requests) you should process them with a special "secure()" method for screening a single quote. This method contains in the class "Database" and is available in "$db" object, located in in each model and plug-in.

Attention! Query Constructor independently applies "secure()" method to input data. If Direct requests are used, then upon "secure()" method call you don't need to wrap the value in single quotes since this method in it's turn will call the PDO method "quote()".

//Data that need to be secured 
$param = $_GET["param"];

//For "type" value quotes are not required 
$row = $this -> db -> getRow("SELECT * FROM `products` 
                              WHERE `active`='1'
                              AND `type`=".$this -> db -> secure($param);

//For integer values it’s better to use intval() function
$row = $this -> db -> getRow("SELECT * FROM `table` WHERE `id`='".intval($_GET["id"])."'");

XSS upon Form Filling

Data entered into form fields (which are created by the object of "Form" class as described in Creation of Forms section) are processed by the "htmlspecialchars()" function in ENT_QUOTES mode. Thus potentially dangerous HTML characters are passed from mnemonics (entity).

HttpOnly cookie

Sessional cookie, and also cookies exposed by Admin Panel have a turned on flag of HttpOnly by default, that makes it impossible to read them by JavaScript. This option puts an additional shield for performing XSS. HttpOnly mode can be turned off in "config/setup.php" file.

Safety of Admin panel

  • After 2 failed attempts to login the user will be offered to enter captcha.
  • Recovery of the password occurs only after entering captcha and confirmation by the link to email.
  • Session binds to the browser and IP address.
  • Tokens to avoid the possibility of CSRF when operating with Admin Panel.
  • Users will be logged out automatically on timeout (with an option to auto-login).

URL in Router object

In Router object a single quote will be removed from URL address, thus GET parameters remain as initial and in case they are used in direct requests you need to call "secure()" method from a database object.

$row = $this -> db -> getRow("SELECT * FROM `products` 
                              WHERE `color`=".$this -> db -> secure($_GET['color']));