Security

In this section we are going to talk about security and how PHP Booster provide some helpers to prevent some attacks:

CRSF Attack

Is an attack that exploit forms request to search more about cross site request forgery visit: https://en.wikipedia.org/wiki/Cross-site_request_forgery

To avoid these type of attacks PHPBooster include a default set to protect from this attacks, but you could change it to false if you dont really take care about this type of protecction, you could change it in:

$ config/config.php

There you will find next code:

<?php 
define("APP_ENV", "local");                                 //Environment "local" or "prod" to display errors or not
define("HOST", "localhost");                                //Database Host
define("DATABASE", "");                                     //Database Name
define("USER", "root");                                     //Database User
define("PASSWORD", "");                                     //Database Password
define("MAIL_DRIVER", "smtp");                              //Email Driver
define("MAIL_HOST", "smtp.gmail.com");                      //Server Host
define("MAIL_PORT", "587");                                 //Port en case of gmail these
define("MAIL_USERNAME", "account@gmail.com");               //Email account to send emails
define("MAIL_ALIAS", '');                                   //Alias to email
define("MAIL_PASSWORD", "");                                //Password to gmail for example
define("MAIL_ENCRYPT", "tls");                              //Email encryt type
define("LENGUAGE", "es");                                   //Lenguage to display in App
define("CONTINENT", "America");                             //Timezone Continent for App
define("COUNTRY", "Guatemala");                             //Timezone Country for App
define("CSRF_PROTECTION", true);                            //Cross Site Folding Attack Mode true or false
?>

Please fill free to change all data to your personal information like Database information, Mail account and other Locale sets.

define("CSRF_PROTECTION", true); 
//change it to false to set off the validation for this attacks

Its not recommendable is set by default but it´s possible to change it.

To use this protecction in all your forms, PHPBooster will obligate to set a crsf token, into every form you will need to add inside it the helper csrf_token_field()

Ex:

<form action="<?php url('users/store'); ?>">
    <?php csrf_token_field(); ?>
    <input type="text" name="email" value="<?php old('email')?>">
    <input type="text" name="password">
    <input type="submit" value="send">
</form>

It will create a hidden input with the token, now you can send data to your controllers and all its going to run fine, but you could validate the data request to eval if the data goes from your app, in your controller you could use a helper to validate it as in the next example:

<?php
use Libs\BoosterORM\BoosterORM;
class UsersController
{
...
    public function store()
    {
        if (validate_csrf()) {
            //your code to store data with
            //BoosterORM or
            //BoosterQueryBuilder
        }
    }
    ?>

XSS Attack

To protect from scripting insertion PHPBooster provides helpers for frontend, backend and requests.

To clean a request in controllers you could use the helper:

clearField();

As param you could send a $_POST or $_GET request or any other, it clean multiple types of inputs like Javascript and Querys insertion.

To print params in Views that are going to be encripted PHPBooster provide helpers to encript and decrypt fields:

encryptField();

You could print params of links or others with this helper to encript data, this helper generate encriptation dinamically so every project will automatically generate different encriptation, this helper support strings and integers so you could send a $_POST or $_GET method or create a variable to send as param.

To decript that information you could use the next helper:

decryptField();

To work you need to send as param the encripted field to decrypt it.

And if I want a encriptation without decrypt?

You could use the helper:

bcrypt();

This could be useful with a login for example to validate that the request data match to some data from the database or to other variable you could use a simple and PHP native function:

password_verify ( string $password , string $hash )

In this particular case you could use it as:

$password = $_POST['password'];
$user = User::find($_POST['email'], 'email');
if ($user) {
    if(password_verify ( string $password , $user->password )){
        //your code to set user logged!
    }else{
        redirect('login')->with('Error', 'User not found :(');
    }
}

SQL Injections

To protect to injections both BoosterQueryBuilder and BoosterORM create a bind query with PDO, you could send en every where method as second param value to bind or an array of values to bind.

for Ex:

In BoosterQueryBuilder:

$users = DB::table('users')->where('role = ?', 'admin')->get();
//or
$users = DB::table('users')->where('role = ?, status=?', ['admin', 'online'])->get();

In BoosterORM:

$users = User::where('role = ?', 'admin')->get();
//or
$users = User::where('role = ?, status=?', ['admin', 'online'])->get();

In both examples you will get a collection of objects, but the most important thing in this section is the way you could bind params just with "?", and send values as second param.