Hi,
I have never used any framework for PHP or MySql before. I would want to know if there exists a framework with secure functions for Log in, Log out, recover forgotten password, for preventing XSS or Brute Force attacks, and functions to check and clean input text to send to MySql queries, and manage safely PHP sessions. I would want to integrate in my PHP and MySql work.
Please, can you suggest me anything about? Many thanks!!
PHP takes care of XSS and brute force attacks for you - all you need to do is to validate all $_POST values and sanitize all $_GET values before you use them. In many cases there are filters available in PHP to do this for you - where there isnât you can use preg_match for validating and preg_replace for sanitizing.
The password_hash() function takes care of securing the password used for logging in.
Using prepare statements for the mySQL calls both speeds up the database calls and makes them more secure.
If you are looking for a framework then check that it uses the above.
Thanks! But, as good can be my own code, I am always doubtful about its safety. So, this is the main reason I would want to find some good tested functions that make that things in the best and secure possible way!
You could try
The OWASP Zed Attack Proxy (ZAP) is one of the worldâs most popular free security tools and is actively maintained by hundreds of international volunteers
It might reveal some ânon-concern issuesâ but IMHO it does a good job at finding security risks.
Laravel and Symfony provide everything youâre looking for.
Therefore, should I use PDO or MySQLi extensions, instead of the default mysql functions?
Use pdo.
Though using PDO itself has nothing to do with preventing SQL injection. You need to properly sanitize and use prepared statements. PDO just makes it a lot easier to do so via providing a fluent interface for variable binding.
If you use Doctrine or Eloquent you wonât have to worry about any of that crap unless you write a query manually which is highly unlikely.
Donât use PDO.
Instead, use your frameworkâs ORM and query builder.
No oneâs mentioned using them beforeâŚ
If its Laravel use Laravel Doctrine. Eloquent and ActiveRecords in general are limited, outdated, crap.
mysql isnât the default - it was replaced by mysqli and PDO in July 2004 and ceased to exist in PHP at all in December 2015.
Using PDO or MySqli prepared statements, do I need to validate and sanitize?
Yes - or do you just want the database filled with junk?
Validating and sanitizing is security step zero.
Using prepared statements makes the database calls more efficient and stops the data being confused with the SQL - any security aspect of it is a side effect.
This question is two-fold.
When using prepared statements, you donât need no other sanitization or validation related to datavase interaction (as long as your query could be parameterized).
However, it doesnât make your free from whatever else validations, related to your business logic, or sanitizations that have to be applied to your data for any medium other than SQL
such as making sure names donât contain numbers and ages donât contain special characters and so on - which apply even if all you are doing is saving the values directly to the database - using prepare statements means you donât have to escape the data to tell the difference between the dtata and the SQL - it doesnât ensure that the data is meaningful - for that you need to validate it when first entered by the user.
I have another doubt:
If I want to select or insert a string containing a single quote (or whatever stuff that needs to be escaped): OâConnor, How prepared statements treats that string?
And also if I have cure to sanitize and validate and escaping strings to send to db, do the normal mysqli improved functions are still unsafe? thanks!
you donât have to escape anything provided the data is not jumbled with code. As prepare statements keep the code and data separate escaping is unnecessary as there is nothing in the data that can be misinterpreted as code as they are not in the same statement.
validating all user inputs to make sure the values make sense and sanitizing values passed into the code that could potentially have been tampered with to make sure they donât contain anything that could be harmful have nothing whatever to do with writing to the database - they are things you should always do first in any code to make sure you are not trying to process junk.
Prepared statementsâ primary purpose is to treat data properly, so you have nothing to worry about.
While regarding mysqli functions, it is not functions that are unsafe but the way you are using them. So, if you are going to use ânormal mysqli improved functionsâ the same way as old mysql functions, then your approach is still insecure.
However, I donât see how these latter questions are related to your initial concern about PHP frameworks.
Find secure functions for mysql. And prepared statements in someway they are (we have talked about them after my first post, and they were new to me before this thread). Maybe the right title would have been âWhat is the right php framework having safe mysql functions?â.
For example if I want to insert stuff into db, simply I put that stuff (and other things in âwhereâ conditions) as parameter of a secure function without have care of the sql syntax and of escaping.
I have seen something looking at Medoo - The lightest PHP database framework to accelerate development, I didnât used that before and I donât know if I will use that in future, but I think that a framework similar to that will fast your work with db, and I think the creators of it, they considered security issues in their functions!
This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.