Security

Protection from SQL injections

Before placing values in SQL query (in direct database requests) you should process them with a special "secure()" method for screening a single quote. This method is contained in the class "Database" and is available in "$db" object, located in each model and plugin.

Attention! Query constructor independently applies "secure()" method to input data. If Direct requests are used, and you call "secure()" method you don't need to wrap a value in single quotes since this method will call the PDO method "quote()".

//Data that needs to be securely processed
$param = $_GET["param"];

//For "type" value quotes are not required 
$row = $this -> db -> getRow("SELECT * FROM `products` 
                              WHERE `active`='1'
                              AND `type`=".$this -> db -> secure($param);

//For integer values it’s better to use intval() function
$row = $this -> db -> getRow("SELECT * FROM `table` WHERE `id`='".intval($_GET["id"])."'");

XSS in form protection

Data entered into form fields (which are created by the object of "Form" class as described in Creation of forms section) are processed by the "htmlspecialchars()" function in ENT_QUOTES mode. This way, potentially dangerous HTML characters are turned into html mnemonics (entities).

HTTP only cookie

Session cookie, and also cookies set by admin panel have a turned on flag of HttpOnly by default, that makes it impossible to read them by JavaScript. This option puts an additional shield for performing XSS. HttpOnly mode can be turned off in "config/setup.php" file.

Safety of admin panel

  • After 2 failed attempts to login, the user will be offered to enter captcha.
  • Recovery of the password occurs only after entering captcha and confirmation by the link to email.
  • Session is bound to the current browser and IP address.
  • Tokens to avoid a possibility of CSRF when creating, updating or deleting records.
  • Users will be logged out automatically by timeout (with an option to auto-login).

URL in router object

In Router object a single quote will be removed from URL address, but GET parameters remain as initial and in case they are used in direct requests you need to call "secure()" method from a database object.

$row = $this -> db -> getRow("SELECT * FROM `products` 
                              WHERE `color`=".$this -> db -> secure($_GET['color']));

Previous

AJAX

Next

Debugging