Skip to content
/ PHP-AIO-Security-Class Public
forked from marcocesarato/PHP-AIO-Security

The objective of this class is offer an automatic system of protection for developers's projects and simplify some security operations as the check of CSRF or XSS all in a simple class. Infact you could just call the main method to have better security yet without too much complicated operations.

0 stars 14 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

khalidJA/PHP-AIO-Security-Class

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

71 Commits
Demo
Demo
 
 
Screenshots
Screenshots
 
 
.htaccess
.htaccess
 
 
README.md
README.md
 
 
security.class.php
security.class.php
 
 

Repository files navigation

PHP AIO Security Class

Version 0.2.1

IF YOU USE ON YOUR PROJECT SOME OF THESE METHODS PLEASE TO CREDIT ME :) THANK YOU!

This is a security class in php with some userful and automatic static methods.

The objective of this class is offer an automatic system of protection for developers's projects and simplify some security operations as the check of CSRF or XSS all in a simple class. Infact you could just call the main method to have better security yet without too much complicated operations.

Instructions

1-0 - Move .htaccess on your ROOT directory

1-1 - Move the class on directory and config the class if you need it.

These are the options:

// Config
$basedir = __DIR__; // Project basedir where is located .htaccess
$session_name = "XSESSID";
$session_lifetime = 288000; // 8 hours
$session_regenerate_id = false;
$csrf_session = "_CSRFTOKEN";
$csrf_formtoken = "_FORMTOKEN";
$hijacking_salt = "_SALT";
$headers_cache_days = 30; // Cache on NO HTML response (set 0 to disable)
$escape_string = true; // If you use PDO I recommend to set this to false
$scanner_path = "./*.php"; // Folder to scan at start and optionally the file extension
$scanner_whitelist = array('./shell.php','./libs'); // Example of scan whitelist
// Autostart
$auto_session_manager = true; // Run session at start
$auto_scanner = false; // Could have a bad performance impact (anyway you can try)
$auto_block_tor = true; // If you want block TOR clients
$auto_clean_global = false; // Global clean at start

PS: You can always change the configuration as following for each parameters or simply editing the var if you need only static var:

Security::$session_name = "MYSESSID"

1-2 - Include the class

include 'classes/security.class.php';

2 - Just create a new object to be more at safe (the constructor/putInSafety filter $_REQUEST and $_GET globals, add some userfull headers for security, check if there is an Hijacking and check the URL Request)

$isAPI = false; // default is FALSE (this remove some check that could block API request)
$security = new Security($isAPI);

or just call

$isAPI = false; // default is FALSE
Security::putInSafety($isAPI);

NOTES:

1 You can also call only the methods that you need instead this method

2 Constructor and putInSafety are the same thing

3 These methods call session_start then don't use it before/after

4 global $_POST is not filtered. If you want it I could add this if someone will request this feature. Anyway if you want filter it write $_POST = Security::clean($_POST);

3 - Prevent XSS/SQL Injection on your variables with:

$is_html = true;        // deafult is TRUE
$have_quotes = true;    // deafult is TRUE
$escape_string = true;  // deafult is TRUE except if you set FALSE in class config
$var = Security::clean($_POST['var'], $is_html, $have_quotes, $escape_string);
echo $var;

or

Security::cleanGlobals();

PS: THIS COULD COMPROMISE DATA IF YOU SEND HTML WITH INLINE JAVASCRIPT

send with htmlentities could be a solution if you want inline js and clean globals at the same time

4 - Use output method to filter your output (it also check for CSRF)

ob_start()
    
// ... Your code ...
    
$output = Security::output(ob_get_clean());
echo = $output;

Enjoy!

Methods available:

Generic Methods

Method Params Return Description
__construct / putInSafety $isAPI = false Void Call some methods:

headers $isAPI
secureSession $isAPI
secureFormRequest $isAPI
secureBots
secureRequest
secureBlockTor
secureHijacking
secureCookies
secureCSRF - Void Check for CSRF
secureCSRFToken - String Get CSRF Token
secureRequest - Void Enable the WAF (Firewall) then check the request method and the URL to prevent some XSS/SQL Injections and bad requests
secureFormRequest $isAPI = false Void Check if the form origin come from the same website
secureSession - Void Set custom session name for prevent fast identification of php and add some secure param to session cookie. PS: This method call session_start
headers $isAPI = false Void Set some secure headers (to prevent some XSS, Clickjacking and others bad requests) and secure php setting
headersCache Void Set cache headers
secureCookies - Void Set some secure paramenter on cookies (autoencryption soon...)
secureDOS - Void Block clients that do too much requests (after 10 requests within 1.5 seconds consecutive detect a DOS attemp, the first 4 times the client must wait 10 seconds after that its ip will be banned from the server)
secureBlockBots - Void Block some generic bad bots/crawler/spiders
secureBlockTor - Void Block TOR clients
secureHijacking - Void Prevent Hijacking and delete session

Cleaning Methods

Method Params Return Description
clean $data, $html = true, $quotes = true Mixed Clean value form XSS, SQL Injection etc… recursively
cleanGlobals - Void Clean all input global vars ($_REQUEST,$_POST,$_GET,$_COOKIE)
THIS COULD COMPROMISE DATA IF YOU SEND HTML WITH INLINE JAVASCRIPT
cleanXSS $data Mixed Clean value from XSS recursively
stringEscape $data Mixed Clean from SQL Injection (similar at mysql_real_escape) recursively
stripTags $data Mixed Strip tags recursively
stripTagsContent $data, $tags = '', $invert = false Mixed Strip tags and contents recursively
trim $data Mixed Trim recursively
stripslashes $data Mixed Strip slashes recursively

Output Methods

Method Params Return Description
output $buffer String Put in safety HTML if is HTML, compress HTML if is HTML, check for CSRF and add cache headers if isn't HTML (usually used with ob_start)
secureHTML $buffer String Put in safety some html elements on output buffer and add automatically the CSRF token
compressHTML $html String Compression of HTML
compressJS $js String Compression of JS
compressCSS $css String Compression of CSS

Utility Methods

Method Params Return Description
crypt (encrypt|decrypt), $string String Encrypt and decrypt strings
getCookie $name String Get decrypted cookie
setCookie $name, $value, $expires = 2592000, $path = "/", $domain = null, $secure = false, $httponly = true Boolean Set encrypted cookie
unsetCookie $name String Unset a cookie
clientIP - String Get real client IP address
clientIsTor - Boolean Check if client use TOR
secureDownload $filename Void Secure headers for download request
secureUpload $file, $path Boolean File upload with scan
secureScan $path Void Scan files in directory recursively and rename bad files if detected
secureScanFile $filepath Boolean Scan file (detect for shell or php code infected)
secureScanPath $path Array Scan files in directory recursively (detect for shell or php code infected)

About

The objective of this class is offer an automatic system of protection for developers's projects and simplify some security operations as the check of CSRF or XSS all in a simple class. Infact you could just call the main method to have better security yet without too much complicated operations.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • PHP 100.0%