Security

Production mode

The development/production mode is switched via the .env file in the project root. In production mode, all errors and warnings are written to the log folder, and the user is shown a 404 error.

APP_ENV=production

Protection against SQL injections

Before substituting values ​​into an SQL query without using the constructor, they must be processed by the special secure() function. This method is contained in the Database class and is available in the $db object, which is located in each model and plugin.

Query builder independently applies the secure() method to incoming data. If you are using Direct queries, then when calling the secure() method, you do not need to enclose the value in single quotes.

 $db -> getRow("SELECT * FROM `products`
                WHERE `active`='1'
                AND `type`=".$this -> db -> secure($param));

//For integer values, it is better to use the intval() function
$row = $this -> db -> getRow("SELECT * FROM `table`
                              WHERE `id`='.intval($param)."'");

Admin panel security

• After two unsuccessful authorization attempts, the user is prompted to enter CAPTCHA.
• Password recovery only after entering captcha and confirming via email link.
• Binding a session to a browser and IP address.
• Tokens to prevent CSRF during operations in admin panel.
• Logging out a user by timeout, with the ability to autologin.

URL in the Router object

In the Router object, a single quote is removed from the URL, while the GET parameters remain in their original form and if they are used in direct requests, you must call the secure() method from the database object.

Using a CSRF token for forms

Detailed description in the section Form security.

$form = new Form(...);
$form -> useTokenCSRF();