php frameworks and security

Question

As a web developer I am using PHP and I know that I have to worry about security but when you use a framework, there is a lot-of code and design that you relay on but that you didn't code or design and for instance I am using CakePHP.

• so in this case with frameworks how much should i worry about security ?

Answer 1

You should always continue respecting the basic principles of security :

• don't trust the user
• never trust the user

Which kinda means :

• filter / validate everything that comes to your application
• escape any output.

Using a framework doesn't change much about that, except that :

• Output to the database often es some layer of the framework, which should deal with escaping
• Frameworks often provide filtering / validation solutions ; use them ;-)
• Frameworks often have some guidelines ; read them.

As a sidenote : you said this :

there is a lot-of code and design that you relay on but that you didn't code or design

Considering you are using a well-known framework that lots of people use, this code has probably been more tested/reviewed than any code you could write ;-)

That's an advantage of open-source, actually : you are not the only one responsible for the code, and lots of eyes have seen it -- which means lots of hands have enhanced it.

Answer 2

I suggest you check out ESAPI: http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API#tab=PHP

It is not a framework per se, but does contain a lot of tools for the problems Pascal mentions.

Answer 3

There are a lot of things to consider when dealing with security in an application. As Pascal said, it is a good idea to use a popular framework that has had a number of people looking at it.

I see a few areas of concern in regards to CakePHP.

The first issue is the end user. You should expect someone to do something foolish on every page you build. Some examples of this are:

• A person clicking the submit button rapidly over and over. This may skew or mess up your system in a way if you're not careful. The solution for this is not based on the framework, but rather your coding methodology and testing.
• SQL Injection and other bad things. Any field on a page can be potentially abused, therefore every form element must be sanitized. CakePHP has simple methods to take care of these security issues. http://book.cakephp.org/view/153/Data-Sanitization
• Clean URL's are very important. You should never design a system that allows a user to access integer primary keys directly. For instance, if you have a site that has /show_user/2098 then someone can simply type in show_user/2097 to see someone else's account. CakePHP allows you to incorporate slugs or UUID's quite easily, to prevent this from happening.

Second, you must be concerned with attacks dealing with the code and permissions itself. For example:

• Never use eval() or system() in your code from data that may come from the end user. There have been applications in the past written in perl that have been hijacked because of this issue.
• The folder structure and permissions is important in regards to security. Users should never have access to get into a writable directory. With CakePHP the folder structure is designed so that you can point apache directly to app/webroot. This means the tmp directory is outside of the apache path, making the system a bit more secure.

Third, you should be concerned with the protection of your administration pages and who has permissions to access what.

• CakePHP has an Auth and an Acl component that allows you to choose what users get access to which pages. This makes use of custom Cake Sessions which can be stored in a database, by using PHP or written to the file system.

I would suggest reading up on some of the important components and being sure you set them up properly, to ensue you have built an application without security flaws. Take a look at some of these elements as you research further: http://book.cakephp.org/view/170/Core-Components