The Slim Framework support forum has moved to http://discourse.slimframework.com. This Tender forum is no longer maintained or monitored.

Can we do like XSS and SQL injection protection with Slim?

wardprogrammer's Avatar

wardprogrammer

11 May, 2012 04:37 PM

Can we do like XSS and SQL injection protection with Slim?

  1. Support Staff 1 Posted by Andrew Smith on 11 May, 2012 05:30 PM

    Andrew Smith's Avatar

    Slim is database agnostic, you can do what you like with your database layer. Slim doesn't force you to use specific database libraries or drivers.

  2. 2 Posted by wardprogrammer on 11 May, 2012 06:35 PM

    wardprogrammer's Avatar

    Thanks Andrew! Its clear for me but as i am new to Slim , I also wanna know how to make secure form to perform CRUD with MySql database. I came to know we can use Twig Template. Will that take care of Sql Injection and XSS and CSRF attack?

    I appreciate your help.

    Thanks,

  3. 3 Posted by Mikhail Osher on 12 May, 2012 12:42 PM

    Mikhail Osher's Avatar

    XSS/CSRF attacks based on application logic.

    If you are displaying raw user content - you may be XSS'ed.
    If you are displaying escaped user content - you can't be XSS'ed.

    Same with tokens in CSRF.

  4. Support Staff 4 Posted by Josh Lockhart on 12 May, 2012 02:16 PM

    Josh Lockhart's Avatar

    @Amit

    SQL Injection

    SQL injection is solved by your ORM. For example, if you are using PDO (or a library that uses PDO), you'll want to use bound parameters... this will protect you from SQL injection. As Andrew said above, Slim is database agnostic and does not provide a built in ORM; instead, you are encouraged to use a third-party lib of your choosing.

    XSS

    As @Mikhail said above, if you display raw user input, you can be XSS'ed. You'll want to make sure you escape user input. This is solved by your templating framework. Slim's default View does not provide escaping for you. I strongly encourage you to use Twig, Smarty, or another third-party templating framework with your Slim application. Twig, for example, auto-escapes user input automatically and will protect you from XSS attacks.

    CSRF

    In most cases, you'll generate a unique token for each request and store it in the user's session. You would then submit this token value with a form submission (e.g. as a hidden field value); the submitted token would be compared to the existing session token when the request is received by your application. If the tokens match, you can assume the request is from your own application. If the tokens do not match, the request is likely from a third-party domain and should be ignored.

    Slim does not provide CSRF protection yet, but this is an ideal candidate for custom middleware. If someone would like to write this middleware, I would be happy to add it to the Slim-Extras repo.

    Best,
    Josh

  5. 5 Posted by wardprogrammer on 14 May, 2012 01:20 PM

    wardprogrammer's Avatar

    Hi Josh!

    Thank You very much for detailed information. I am glad to know all that. I
    understand XSS and CSRF protection will be taken care by Twig. Do you think
    on Slim Framework or any other Website, I should be able to see an example
    with all this features? or May be just ORM implementation for SQL injection
    protection demo.

    I think if someone can create a Security Suite with all this feature, it
    will be a great assest for Slim framework.

    Thanks again for your time.

    With regards,
    Amit

  6. Andrew Smith closed this discussion on 04 Oct, 2012 04:22 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac