forked from pi-engine/pi
-
Notifications
You must be signed in to change notification settings - Fork 0
Dev.Security
Taiwen Jiang edited this page Jul 12, 2013
·
6 revisions
- References
- == Websites
- PHP Security Manual (php.net)
- PHP Security Cheat Sheet (owasp.org)
- PHP Security Leading Practice
- PHP Security Guide (phpsec.org)
- Top 10 PHP Security Vulnerabilities (phpmaster.com)
- 25 PHP Security Best Practices For Sys Admins (cyberciti.biz)
- == Books and docs
- Essential PHP Security (Chris Shiflett)
- Pro PHP Security (Chris Synder, Thomas Myer and Michael Southwell)
- PHP Application Security Checklist (sk89q.com)
TODO
- Deployment
- apache
- nginx
- PHP
- MySQL
- Pi
- Pi development
- Input filtering
- Read parameters from input: see
Pi\Utility\Filter;Pi\Mvc\Controller\Plugin\Params- GET:
$var = _get('var_name', 'int');alias in a controller action:$var = $this->params()->get('var_name', 'int'); - POST:
$var = _post('var_name', 'int');alias in a controller action:$var = $this->params()->post('var_name', 'int'); - PUT:
$var = _put('var_name', 'int');alias in a controller action:$var = $this->params()->put('var_name', 'int'); - Generic:
$var = _request('var_name', 'int');alias in a controller action:$var = $this->params()->request('var_name', 'int');
- GET:
- Read parameters from input: see
- Filter a value:
$var = _filter($rawValue, 'email'); - Sanitize a value:
$value = _sanitize($rawValue, 'float', 'allow_thousand'); - Escape a string: `$escapedText = _escape($rawText[, ''|'html'|'css'|'url']);
- Strip a string: `$strippedText = _strip($rawText[, ' '|'-']);
- Input filtering
- Auditing and monitoring