PHP Framework

Security Features

Security Best Practices

The framework includes several security features to protect your application:

SQL Injection Protection

Always use prepared statements:

// Good - uses prepared statements
$sql = "SELECT * FROM users WHERE email = :email";
$user = $this->query($sql, ['email' => $email])->fetch();

// Bad - vulnerable to SQL injection
$sql = "SELECT * FROM users WHERE email = '$email'";  // DON'T DO THIS!

XSS Protection

Template engine automatically escapes output:

<!-- Escaped (safe) -->
{{ $user->name }}

<!-- Raw HTML (use with caution) -->
{!! $trustedHtml !!}

CSRF Protection

Required for all POST requests:

<form method="POST">
    @php echo csrf_field(); @endphp
    <!-- form fields -->
</form>

Password Security

// Hashing passwords
$hashedPassword = password_hash($password, PASSWORD_DEFAULT);

// Verifying passwords
if (password_verify($inputPassword, $user->password)) {
    // Password is correct
}

Session Security

Sessions are configured with secure settings:

httponly - Prevents JavaScript access to cookies
secure - Cookies only sent over HTTPS (in production)
samesite - CSRF protection