marcocesarato / security
AIO Security Class offer an automatic system of protection for developers's projects and simplify some security operations as the check of CSRF or XSS all in a simple class. Infact you could just call the main method to have better security yet without too much complicated operations.
Installs: 2 361
Dependents: 0
Suggesters: 0
Security: 0
Stars: 37
Watchers: 9
Forks: 14
Type:console
Requires
- php: >=5.1.2
This package is auto-updated.
Last update: 2024-11-11 20:52:34 UTC
README
Version: 0.2.8.183 beta
Github: https://github.com/marcocesarato/PHP-AIO-Security-Class
Author: Marco Cesarato
IF YOU USE ON YOUR PROJECT SOME OF THESE METHODS PLEASE TO CREDIT ME :) THANK YOU!
Description
This is a security class in php with some useful and automatic static methods.
The objective of this class is offer an automatic system of protection for developer's projects and simplify some security operations as the check of CSRF or XSS all in a simple class. In fact you could just call the main method to have better security yet without too much complicated operations.
Antimalware Scanner
Link Repository: https://github.com/marcocesarato/PHP-Antimalware-Scanner
Instructions
Composer
- Install composer
- Type
composer require marcocesarato/security
- Go on
vendor/marcocesarato/security/
for have source - Move
.htaccess
on your ROOT directory (or try to merge it with your.htaccess
) - Config the class
- Enjoy
Implementation
1.1 - Include the class
use marcocesarato\security\Security;
or
include 'Security.php';
1.2 - Session store on database (Optional) (PDO/CPDO instances only)
$conn = new PDO(...); Security::setDatabase($conn); // Or Security::$database = $conn;
2.0 - Just create a new object to be more at safe (the constructor/putInSafety filter $_REQUEST and $_GET globals, add some useful headers for security, check if there is an Hijacking and check the URL Request)
$isAPI = false; // default is FALSE (this remove some check that could block API request) $security = new Security($isAPI);
or just call
$isAPI = false; // default is FALSE Security::putInSafety($isAPI);
NOTES:
1 You can also call only the methods that you need instead this method
2 Constructor and putInSafety are the same thing
3 These methods call session_start then don't use it before/after
4 global $_POST is not filtered. If you dont enable the cleanGlobals feature on settings
All the uncleaned data can be recovered calling the following globals:
$GLOBALS['UNSAFE_SERVER'] = $_SERVER; $GLOBALS['UNSAFE_COOKIE'] = $_COOKIE; $GLOBALS['UNSAFE_GET'] = $_GET; $GLOBALS['UNSAFE_POST'] = $_POST; $GLOBALS['UNSAFE_REQUEST'] = $_REQUEST;
3 - Prevent XSS/SQL Injection on your variables with:
$is_html = true; // default is TRUE $have_quotes = true; // default is TRUE $escape_string = true; // default is TRUE except if you set FALSE in class config $var = Security::clean($_POST['var'], $is_html, $have_quotes, $escape_string); echo $var;
or
Security::cleanGlobals();
PS: THIS COULD COMPROMISE DATA IF YOU SEND HTML WITH SCRIPT TAGS
send with htmlentities could be a solution if you want inline js and clean globals at the same time
4 - Use output method to filter your output (it also check for CSRF)
ob_start() // ... Your code ... echo Security::output(ob_get_clean());
Enjoy!
Options
These are the options availables:
PS: You can change the configuration as following for each parameters or simply editing the var directly on the class file:
Security::$session_name = "MYSESSID";
Configs
Autostart
Error template
// Error Template $error_callback = null; // Set a callback on errors $error_template = '<html><head><title>${ERROR_TITLE}</title></head><body>${ERROR_BODY}</body></html>';